Deploy My Startup
There is a real opportunity here to make DevSecOps best practices an easy opt-in for SaaS founders.
Heroku pioneered the one click deploy button:
Let's go a step further, let me click a button, and deploy everything I need for a startup.
An entrepreneur can use many tools to replace large portions of non-differentiating activities. Here are a few categories and examples of companies in each area.
Each of the above categories has many other options, and there are other categories that I have not listed here.
As we build each of these business areas out, we are not subject matter experts in any of them.
With the push for DevSecOps and Shift Left, I would like to see someone build a one click deployment of everything I need from day one. Google, Microsoft, or AWS with a partner like Vendr / Rackspace are best positioned to deploy this.
I envision it working a little bit like so (example uses Google service names, but you can swap out the same thing with Microsoft, or AWS + third party tools):
- I sign up with Google Apps for my new company
- As part of onboarding they buy the domain for me
- Google Analytics, Google Search Console, Google Tag Manager accounts are set up for the domain
- DNS records for previous services are auto populated, MX, DMARC, DKIM, SPF, etc are all set up
- A GCP Project is auto-generated based on one of many common long term supportable templates. The goal here isn’t to push companies into maximizing spend on GCP like some best practice Cloud Formation Templates will do. The goal is to show people how to do the right thing and in a compliant manner from day one. Google can try and push their specific products like Cloud SQL for PostgreSQL instead of a bare compute node running PostgreSQL, but should avoid pushing for specific lock in tooling like BigQuery. The idea here is to be a comfortable springboard, not a trap that users don’t want to step into. It would be easy to make a reputation management mistake here.
- IAM is auto generated and tied back to Google Apps Groups so that I can manage everything from one place.
- Deploy Zero-trust architecture as the baseline.
- Provision tooling for automated secrets management tooling and pre-integrated with Google Apps. This includes a Google specific tool kind of like what Cloudflare Access does to get rid of SSH keys
- A “VPN” application is available from within Google Apps for any employee to download, auth, and inherit the config from the previous steps. Think of something like Tailscale. Why do you need this is you're doing zero trust? You will drift away from zero trust to meet business goals and this deployment needs to accept those realities.
- Some kind of bundled and managed password manager. I guess for Google this would be the one built into Chrome, but it needs to be better at auto generating passwords per site.
- A code repo is set up on some service that Google partners with since they killed off Google Code.
- CI/CD is set up within the previous GCP project template, again based on best practices. This isn’t perfect, but it helps to start things off on the right foot. They could even bundle as many of the items from the Open Source Security Score Card to be out of the box for projects.
- Automated monitoring and alerting is set up for the templated project. This doesn’t solve the challenge of monitoring and alerting. It provides a set of baseline metrics that developers can use to understand how to configure things.
- This is all hooked up to automatically create new environments on PR for automated and manual QA.
- I can opt-in to auto-deploying a set of open source tools that will provide core services. The catalog consists of only projects which Google can automatically keep updated for me. When it makes sense, analytics are auto configured so when you deploy Ghost, Google Analytics comes pre-set up. Think of this like a more curated Bitnami with ongoing maintenance. Another alternative here may be to partner with a company like GitLab to offer a bunch of items pre-set up and integrated. A few examples of tools like this would be:
- Ghost for a website/blog
- SonarQube for code analysis
- GitBook for docs
- Cachet as a status page (in another region, and integrated into core monitoring)
- Google core services and the open source tools are all auto configured to use Google for SAML sso and 2FA is always enabled.
- Google Authenticator has some kind of sync functionality built into it like Authy.
- Google partners with a company like Vendr. Companies on this plan can say: "I want to add SaaS tools like Quickbooks and Gusto to this. Please get me the best price you can on them. Then have them auto deployed with SSO and user delegation from the main Google Apps account."
As a founder, when I look at the list above, the first thing I think is:
“I appreciate the help. But it sounds like you spun up $1,000+ in monthly burn rate for stuff that doesn’t move the needle for me today. It helps me in the future, IF I succeed in getting there.”
This is where there needs to be a business decision from Google / Microsoft to become a platform for startups. Rather than using VC programs as the sole proxy for companies worthy of investment, allow customers who opt into this to claim the same startup credits which empowers startups to build “right” from day one.
Companies like Atlassian are trying to solve this to some degree with their Open DevOps initiative. But in practice, this is more of a co-marketing activity between large vendors.
There is a real opportunity here for one of the big players to make DevSecOps best practices an easy opt-in for SaaS founders. Fingers crossed, one of them sees the value in it, and I don’t have to do this by hand in the future.
Take a moment to follow me at https://twitter.com/NothingEasySite and https://twitter.com/borisberenberg and subscribe below ⬇️