Secrets management, or the use of tools to access and create digital authentication credentials, was growing in adoption pre-pandemic. But as the health crises forced businesses to move online, secrets management became an indispensable part of operations. According to a 2021 1Password survey, 65% of companies now have over 500 secrets while 18% have more than they can count.
Managing secrets tends to be a tedious and high-cost endeavor, however, with DevOps and IT workers responding to the 1Password survey saying that they spend an average of 25 minutes each day managing secrets at an annual payroll expense of roughly $8.5 billion. The search for solutions to the challenge has given rise to startups like Doppler, which offers a service that developers can use to manage and secure secrets — specifically app secrets — “at scale” in enterprise environments. Doppler today announced that it raised $20 million in Series A financing to further develop its secret-syncing capabilities.
“Existing secrets management tools are designed by security engineers, for security engineers … these tools are cumbersome to use and lack focus on the developer experience,” cofounder and CEO Brian Vallelunga told TC via email. “After substantial research, [I started] working on a ‘SecretsOps’ platform designed for developers and their teams [that became Doppler.”
Doppler is Vallelunga’s fifth venture after Laborate (a classroom collaboration app), Juicy (an “anonymous” social network), Burl Apps (a mobile app incubator) and Miza (an ad platform that bypasses ad blockers). He also did a stint as a software engineer at Uber, where he worked on the app safety team.
Thomas Piccirello, Doppler’s other cofounder, was previously a software engineer at BlackRock and founded a cloud-based insurance claims management startup (AI Insurance). Vallelunga and Piccirello met after Doppler joined Y Combinator’s W19 cohort.
“The ability to securely store, transmit and audit secrets has never been more critical as one minor error can lead to catastrophic results,” CRV general partner Murat Bicer, a Doppler investor, said in a statement. “In a world where putting a single space in the wrong place can literally take down a company’s entire website, Doppler makes it easy to prevent leaks and outages with their developer focused approach.”
“Secrets” in the context of app development refers to anything about an app that a developer wants to keep secret. This could include passwords and credentials, but also things like API keys and digital certificates.
Doppler’s platform serves as an encrypted source of truth, allowing teams to organize their app secrets across projects and environment and roll back changes where necessary. Users can create references to frequently-used secrets in Doppler and get alerts via Slack and Microsoft Teams when things change.
Doppler’s command-line interface knows which secrets to fetch based on the project directory. And it automates secret syncing, requiring developers to update secrets only once.
The benefits of secrets management are clear. According to a 2019 report commissioned by ThycoticCentrify — which, it should be noted, is a secrets management software vendor — 57% of respondents said they’d experienced a security incident related to exposed secrets from insecure DevOps processes. 1Password pegs the cost of a company losing control of its secrets at $1.2 million in revenue per year.
Judging by the early traction, companies are indeed seeing the value in products like Doppler’s. Vallelunga says that Doppler has 16,000 organizations as customers including Puma, Hopin, Toast and OnDeck and is serving more than 1.5 billion secrets every month.
Of course, Doppler isn’t alone in competing for enterprises’ dollars to manage secrets. Vallelunga sees HashiCorp Vault as Doppler’s closest rival, but there’s also AWS Secrets Manager, the aforementioned 1Password and Google Cloud’s Secret Manager, among others.
Grand View Research predicts that the password management market alone will be worth up to $2.05 billion by 2025.
As in any industry, expanding the addressable market for secrets management will require convincing holdouts to embrace new software and technologies. One source, Ekran systems, a threat monitoring software vendor, estimates that only 10% of organizations were using secrets management solutions as of 2019.
Vallelunga’s strategy is to invest heavily — and simultaneously — in engineering and product development. Doppler will more than double its workforce from 22 to 50 by the end of the year and launch new features including a “pull request” flow for secrets, he says. Other additions will include “secrets rotation” and “dynamic secrets” to, in Vallelunga’s words, “give organizations a way to move off of long-lived static secrets.” As the names imply, a dynamic secret is generated on-demand while a static secret is defined ahead of time.
“[These capabilities] will give developers and their teams they tools they need to review critical changes to their secrets at scale,” Vallelunga continued.
CRV led Doppler’s Series A with participation from GV, Sequoia Capital and Y Combinator as well as angels including GitHub CEO Thomas Dohmke, Datadog CEO Olivier Pomel, Twilio founder Evan Cooke and Postman CEO Ankit Sobti. The startup has raised $28.8 million in capital to date,