The False Economy of Homegrown Secrets Managers

Startup engineering resources are always stretched thin. They are also typically the largest cost center for a startup so it's important an engineer's time is allocated to high-impact tasks.

On average, developers are paid around $70 an hour. This is a rough number that varies by seniority, hourly/salaried role, and region, but the fact of the matter is: developers are expensive. With this in mind, let's better understand if building an in-house secrets manager service is right for your startup.

‍

Building an in-house service would require a minimum of 3-4 engineers for 2-3 months. The caveat is that it is NOT a one-and-done solution. Most startups hire in lockstep, parallel to their growth and fundraising rounds, where each round raises the volume of hires compared to the last. This means your in-house service will likely require a rebuild as your company and codebases mature.

Aside from pure engineering costs, it's important to recognize the liability and coverage of a data breach will grow as your team and company does. This will create rising costs for obtaining/upholding security compliance standards.

Pricing conservatively, it will cost $30,000+ each month at the minimum, assuming the following:

• 3-4 of your engineers are working full-time on building and maintaining the internal tool
• A breach never happens in the lifetime of the company (unlikely)
• The complexity of the product grows with scale and so does the number of engineers working on the service in-house
• Your company isn't in the healthcare or fintech space (which usually requires even higher security standards and has no room for error)

The alternatives to not building in-house are:

Having each engineer be responsible for their own secrets often results in having .env files with plain-text secrets in your codebase.

‍Pros:

• Quickest approach in the moment

Cons:

• Very error-prone

• Major security vulnerability (24% of data breaches caused by human error)

• Not scalable: Costly engineering hours spent on keeping dev environments in sync, on-boarding and off-boarding engineers

• Lack of organizational visibility ‍

Services like Doppler are plug-and-play solution for your company's needs.

Pros:

• Out of the box solution with easy set up

• Magnitudes cheaper than building in-house solution

• Liability removed from your responsibilities

• Security and compliance built in

• Scalable and constantly improved product offerings

• Support engineers with fast SLAs on staff

Cons:

• Slight learning curve to get started

Many companies have regretted not building security into their products from day one. You may be far past your first day, but it is never too early to start saving hours of time by cutting bad habits (manual approach) from your practices. By spending a few minutes now to set up, it will alleviate concerns around security, compliance, and management of environments across your continuously growing company. We're here to help, please reach out to us if you have any questions or ideas!