With Elon on SNL and SpaceX accepting Doge next year, it feels like we may have reached a peak and a trough at the same time. Speaking of troughs, public COSS companies have been hard hit over the past eight weeks with each of our index components falling to yearly lows. However, appetite for private companies continues to be strong with 9 companies raising new rounds (over $300mm in total) over the last couple weeks (including our friends at OSS Capital who co-led an investment in Rome Tools).
This week, we spent time with Brian Vallelunga, the CEO and Founder of Doppler, a universal secrets manager that increases security and helps developers become more productive.
Have you subscribed yet?!
Private Markets
Sysdig, creators of the Linux system exploration and troubleshooting tool of the same name, announced their $188M Series D led by Premji Invest & Associates and Third Point Ventures.
Timescale, creators of a popular distributed time-series SQL database built on top of Postgres, announced their $40M Series B led by Redpoint.
StarTree, the company behind Apache Pinot, a distributed OLAP store, announced their $24M Series A led by Bain Capital and GGV Capital.
Botpress, creators of a popular chatbot development, announced their $15M Series A led by Decibel.
n8n, creators of the source available workflow automation tool / Zapier competitor, announced their $12M Series A led by Felicis.
HiveMQ, creators open source and enterprise tools focused on commercializing the MQTT messaging protocol, announced their $11.3M "Seed" round led by Earlybird and Senovo.
Portainer, creators of their popular open source container management tool, announced their $6M Series A led by BVP.
CrowdSec, a replacement for Fail2Ban, intrusion prevention software, announced their $5M Seed led by Breega.
Rome Tools, creators of Rome, a linter, compiler, bundler, and more for JavaScript, TypeScript, JSON, HTML, Markdown, and CSS, designed to replace Babel, ESLint, webpack, Prettier, Jest, and others, announced their $4.5M Seed co-led by A Capital and OSS Capital (!!!).
Public Markets
To track the performance of COSS companies, we’ve created an equal-weighted index comprised of public names including: MongoDB, Elastic, Talend, Cloudera, Rapid7, Fastly and Jfrog.
For the first time all year, the COSS Index dipped below benchmarks:
COSS Index +36%
NASDAQ +50%
S&P 500 +44%
The two-week decline sent the three year performance below the benchmarks as well:
COSS Index +48%
NASDAQ +87%
S&P 500 +57%
COSS companies traded down over the last two weeks and continued to underperform their Emerging Cloud peers continuing a trend we’ve seen for eight weeks running. All three indices continue to trade significantly higher than their five-year average (but the gap is closing).
COSS Index: Current Multiple 11.1x | Five-Year Mean: 7.1x
Emerging Cloud Index: Current Multiple 12.3x | Five-Year Mean: 8.8x
NASDAQ Composite: Current Multiple 4.3x | Five-Year Mean: 3.0x
This week we have an exciting interview with Brian Vallelunga, CEO & Founder, of Doppler. Doppler is a universal secrets manager that is dedicated to providing a solution to developers and security professionals that helps manage the ever-growing complexity around variable management. Brian started Doppler in 2018, after some time at Uber in engineering roles. While Doppler is not an open source company itself, they are utilizing open source as part of their solution and contributing back components of their product over time.
Open Source Software newsletter: Tell us what Doppler is in your own words?
Brian Vallelunga: Doppler is a universal secrets manager. So we help developers store and manage their app configuration and secrets, things like API keys database, certificates, and feature flags. You can generally think about it as like the GitHub for secrets. It's your one-stop shop, your central hub or source of truth, where you can manage everything under on one side, and it has a bunch of cool things like you'd expect out of a product like this, but for secrets like versioning and access controls. It also has tons of automation where if you add a secret, all your developers immediately get it, and then things in staging and production with our integrations with AWS, GCP, and others.
OSS: What got you started thinking about building a product in a company like this, where you're doing something prior to the company that got you rolling in this direction?
Brian: It started when I was at Uber. I've always been obsessed with just doing like side projects. I was working on a crypto machine learning marketplace - just all the buzzwords in one. And that was very much like pushing a boulder up a hill. And I started looking at all the problems that we faced while running it, and managing environment variables and secrets, which kept popping up again and again. And that was this moment like “Oh, this is really interesting, am I doing something wrong or is everyone struggling with this?” So I went back and asked about like 50 founder friends at this dinner, like in one go, and about half of them said that they had problems mentioned as well one woman, in particular, comes running up to us it's like “I've had three outages this week, I need to have any solution by Sunday”. So we learned quickly that people are struggling with this problem when we looked across the board. Everywhere from individual developers, to very large companies, they were all struggling as well.
OSS: On your site, when I look at how you portrayed your product you talk a lot about automation, collaboration, productivity, and managing access. Is there a particular segment of what I just laid out in the way you describe it that's really been the hardest to solve from a product perspective?
Brian: Um, there are a lot of hard problems in what we do. For one, I like to draw inspiration from Apple. Steve Jobs portrayed it best, when you look at a Mac and you want it to do everything and support everything, and the fact is that behind the scenes there is a striking amount of complexity and hard problems that were solved that they have made into a seamless and easy to use product.
The hardest part for us, has been rebuilding the product five times to get one nuance right and that detail is finding the right balance of having something developers actually gain on from a productivity capacity and something that ideally makes their work even more secure. That was really tough.
And a lot of our first guesses were wrong and I think this is just a testament to like every developer, everyone building developer tools know that you get it wrong the first few times. And that is okay. We found that out when we were building integrations into different languages - it takes a lot of work and we could not do it all. So we built a CLI instead, but then we had a lot of other dependencies for different languages. So we realized let’s move to a binary instead to solve this problem in a unique way. From there we ended up in a really great place with really great user experience because now you run Doppler, you just sign in how you would with Facebook or Google, very simple.
OSS: Sounds like your product itself can introduce a lot of complexity as well?
Brian: So I think one of the things just to touch on real quick, one big important design decision we made is, Doppler is touching a lot of API keys. We don't want our users to be touching Doppler’s API keys. For the most part we can get away with that, except in some cases with service tokens, where you just can't get around that, but for the most part, when you're logging into the CLI you have the token generated for you, but you don't ever have to copy and paste that into your terminal ever. Docker just does it for you and because of that it is stored so much more securely. Same with our integrations, you’re just connecting and you're done and there's no API key that you have to put into AWS.
OSS: So no sharing these details over Slack or other communication systems which people use to move faster, but inherently create potential security issues or misuse issues?
Brian: Exactly.
OSS: How does Doppler leverage open source and what are some components of your product open source?
Brian: We draw inspiration and gain a lot of value out of open source in different ways. And I hope we share open-source value back. The first is the Dopper CLI is open source and I think that's brought a ton of interesting feedback and feature requests that we never thought possible. It's also great when people do their own security audits on that package that's so widely used and come back with great feedback.
OSS: Talk a little bit about the mega trend hitting us in 2021 about software development and open source security?
Brian: I think it's mainly because there's like this shift left movement related to security, I feel like a lot of times, in a weird way security is like this lagging thing where like there's there's far other sexier things out there like even Twilio, messaging and seems to be more sexy than security. And so there's all these tools that are out there that would basically enable entire departments. Twilio with communications, or banking with Plaid, and so on it and all these tools, which were originally designed to help companies move very fast and inadvertently shifted the responsibility to developers more and more. So now a developer's running payments, and they're running banking, and they're running a whole bunch of other things, and they're doing a lot of infrastructure stuff now because of the likes of Kubernetes and TerraForm.
And so I think there's as these tools abstracting more and more of the complexities away from a business, and they give developers more freedom to do thing at high speed. And the same thing right now is happening to security right now - there is such a bigger need because the responsibility is shifting.
OSS: So it's really almost the explosion in responsibilities that the developer world has acquired at an ever-increasing pace has also increased the threat surface and the risk, and there is a need for tools to address that burgeoning threat surface that has been created.
Brian: Yes. And there is a really simple formula behind things like this. And that is the number of products you have, with the number of services you're using, by the third-party services you’re using in your product, by the secrets you’re deploying and that is your risk equation.
OSS: Back to open source as a topic in general. Do you worry about companies in the open-source ecosystem mimicking your core product?
Brian: No, and I think for two reasons. One, I’m inspired a lot by Elon Musk, and I really like electric cars. One thing, and I think maybe that only thing that electric cars and secret managers need to have in common is that we need more of them.
Yeah, so in a way this is almost an invitation for competitive competition, but it's more of like hey, the world needs to move to this model, right, we just do and if we don't, there's gonna be a lot of bad consequences, and that that includes software companies but that could also include a ton of other companies.
And so, I think the markets so big that his competition doesn't kill other companies, I think that's the first thing to really understand. But what does kill companies is business models. Yeah, and I think this is the other thing that I'm why I'm not so worried about open-source companies is that open source companies run into some unique roadblocks and firms that are not open-source companies have their own roadblocks as well. I'm not saying that either business model is significantly better in any way.
One challenge in open source can be that the product can be impacted by community control, and that means it's incredibly hard to have a very innovative long-term mission for the company. Right. And because a lot of times I find the best long term visions for the company, are ones that are almost contrary and are unexpected. And I think a lot of time to build into and that can be really hard from day one, so if your entire community is driving everything for you, to get that alignment and be able to change and add things in ways that just wouldn't be expected, right.
So imagine if Elon was was building Tesla open-source, it'd be really hard to get the the cars they have now I would think.
Second part is around monetization. I think MongoDB is an excellent example of a company that figured out monetization open-source, but a lot of companies don't and they end up in this world where their only monetization strategy is around enterprise support and you risk of becoming essentially a consulting company. And I’m not saying that cannot be successful, because it can be, but I think that is something I would not find very fun.