When Being Scrappy Backfires

Moving fast is all and well but not when it comes at the cost of security which could risk your business's long-term future.
May 15, 2020

Startup founders often over-glorify scrappiness and doing things that aren't scalable for the initial part of their company's lifecycle. In the beginning, this bodes well in areas like:

  • Fostering 1:1 strong customer relationships
  • Interviewing every single candidate before they're hired to evaluate culture fit
  • Launching products early to get customer feedback and tackle bugs

However, this idea of scrappiness is undermined in areas like the handling and sharing of your company's sensitive data, like API keys and database urls. Here's why:

  • Good security isn't a patch. It should be at the core of company culture, which then gets baked into your products. Whether you're an independent developer or part of a company with teams of engineers, the risk of a breach/leak is always present and only increases with the number of engineers involved.
  • Experimenting with an unscalable manual approach is a time-consuming and risky endeavour, which leads to shortcuts and error prone tendencies.
  • Automating this workflow only has positives for the lifespan of the company. (In comparison, automating sales and product feedback pipelines super early on doesn't have the same positive outcome)

Here are 5 big no-no's when being scrappy:

  1. Don't try to build your own robust secrets manager unless no other 3rd party service is able/willing to fulfill your urgent needs. Building in-house almost always takes longer than expected and is expensive to maintain.
  2. Don't try to write a bash script as a quick-fix solution which will constantly break under unknown edge cases and as your company scales. Homebrewed solutions are built for the now, making them brittle for future needs.
  3. Don't host on-premise security solutions which will leave you taking on unnecessary liability. On-premise pricing also tends to be very steep.
  4. Don't share your secrets over email, Slack, Google Docs, WhatsApp, or commit them to git.
  5. Don't use .env files as it's one of the easiest ways to increase the number of daily headaches in your company.

Buy hey, we get that sometimes being scrappy isn't an option. So if you are going to be scrappy, do it right. Use a secrets manager and get all the benefits without any of the risks or headaches. If you liked this article and our views on security and developer productivity, try out Doppler for free.