

Discover more from Hacking SaaS
Hacking SaaS #3 - Getting to Know Us
In which we share a bit about ourselves, platform engineering, security and multi-tenancy
We are the “SaaS Developer Community” and we share links and news that are relevant for SaaS Developers. But I’m wondering… are you all SaaS developers? And if so, what kind of SaaS are you developing?
Lets find out if we have a good community-newsletter fit! The usual newsletter content will arrive after these 3 quick questions:
Thanks! Back to our usual SaaS Developer News:
Platform Engineering in 2022:
In many companies, SaaS developers are building platforms that other engineers in the company integrate with. Ambassador published a summary of a panel discussion about platform engineering in 2022 with many great gems and insights:
Golden paths … are great, as "standardization forms the lowest common tech denominators, clearing the way for individual freedom where needed. We cannot get too hung up on the idea of not getting locked in... Instead, focus on the standardizations that reduce complexity and help developers move faster."
"Standardization is how to gain economies of scale and scope, helping organizations reap many benefits."
SaaS Security
Over on the SaaS Developer Slack, Yassin asked “What do you folks recommend for reviewing security practices and pen-testing your SaaS?”. Founders and engineering leaders from 10 different companies chimed in with their best practices and favorite tools. Bridgecrew, jit.io, levo.io, sysdig and GCP security command center were all mentioned favorably.
The best high level advice probably came from Buchi Reddy (CEO of levo.io):
I think it depends a lot on the domain, size of the business, etc but if you're referring to specifically "taking care of SaaS product/app security", here is what we have seen & heard from 100+ customer conversations:
Pentesting from external orgs -- episodic, costly and often not really effective. VAPT reports are used to show to your customers and close deals though.
Building an in-house product/app security team
Red/blue/purple team building
Bug bounty programs
Using companies like HackerOne or Synack
Some companies employ multiple strategies from the above list. Happy to answer if you have any follow up questions and share knowledge.
The conversation that followed was a fascinating debate on whether pen testing is more effective than bug bounty programs or vice versa, and how frequently should pen testing be repeated.
Managing External Secrets in Kubernetes
InfoQ published a great in-depth article on how (and why) to use the operator pattern to use external secrets in Kubernetes. Definitely worth reading - most organizations outgrow K8s native secret management rather quickly and this article includes everything you need to take secret management to the next level.
Kubernetes doesn’t yet have the capabilities to manage the lifecycle of secrets, so sometimes we need external systems to manage this sensitive information. Once the amount of secret information we need to manage increases, we may need additional tools to simplify and better manage the process. In this article we’ll take a detailed look at one of these tools, External Secrets Operator.
And on a related note: if you are still debating whether Kubernetes is for you, you should read this diary of a skeptic who (kinda) learned to love K8s.
Is anything wrong with Airflow?
I’m a fan of Airflow, if only because anything else I tried was worse. But this blog by someone who really doesn’t like Airflow was interesting, because he raises real issues in data engineering. Incidentally, it also does a pretty good job in demonstrating the value of a control plane - in this case, Astronomer.
Astronomer is to Airflow as Snowflake is to the database. It’s a management system, and it shows us what the future of data engineering really looks like:
A top-level “control plane” that allows you to spin up an Airflow deployment in its own Kubernetes environment
Each Airflow deployment has health metrics visible..
Astronomer integrates at the organization level with identity management systems
The control plane can ingest metadata from across workspaces via a separate service
Developer efficiency tools, like integrated Github actions, secrets management, and simple dev/stage/prod promotion workflows
Astronomer’s value proposition lies not in the individual deployments, but in the control plane.
I couldn’t write a better definition of control plane if I tried.
Which brings us to…
New in SaaS Developer YouTube
Ram goes over how control planes are everywhere in the real world, the history of control planes in technology from software defined networking to container orchestration and finally explains what is a SaaS control plane and when you need one. We even have a walkthrough of Confluent Cloud!
Thats all for this week, if you enjoyed this, don’t forget to subscribe to this newsletter and join the Slack community!