cloak VS sso-wall-of-shame

SEEKING FOUNDER CEO | Dev Tools | CEO Co-founder | Worldwide | MVP

Lookign for

Someone with experience taking a product to market, someone willing to trade equity for MAUs.

Idea

https://cloak.software/

Current Progress

Ready to onboard users but still a few issues to iron out.

Contact

https://www.linkedin.com/in/ianpurton

Hi. I'm also working on an E2E secrets manager. https://github.com/purton-tech/cloak

A few tips.

1. It looks like I'm able to do account enumeration on your login page. For a secure app you want to make sure this is not possible.

You want to take a look at Earthly. https://earthly.dev/

This gives you a mix of docker and a makefile.

The best bit is you can test your pipeline locally and you are vendor agnostic.

I'm using it here https://github.com/purton-tech/cloak

I commit to a github repo and that gets deployed to cloudflare pages. https://pages.cloudflare.com/

I use Zola the static site generator. My repo is here https://github.com/purton-tech/cloak/tree/main/www

You can see my migrations to switch on RLS here https://github.com/purton-tech/cloak/blob/main/db/migrations/20220808094314_tenancy_isolation.sql

Hi we are running selenium tests in our CI/CD pipeline.

We do actually generate a video of the tests running as an example see here https://github.com/purton-tech/cloak/actions/runs/2787628672

We're not using cypress we use webdriver connected to a selenium docker instance.

Is that something you can connect to?

I can give you a concrete example if that helps.

I looked at the "secrets automation" space and my background is cryptography and web development.

I'm a solo developer so when I look at a problem I have to make the solution small enough that I can actually build it.

I also have to have an idea about how I will get people to use my product i.e. marketing.

In my case 1Password raised 620million in funding based on their acquisition of Secretshub which for me proves there is a market in secrets automation for developers.

I looked at the secretshub product and I was confident I could build it better with easier to use encryption and make it open source.

As the market is developers I feel writing blog articles about software development will give me a route to market.

So I started about 4 months ago. The product is now here https://cloak.software and source code is here https://github.com/purton-tech/cloak

My first article about web development with rust has already had 16K views so I'm confident with the marketing approach. Now the hard works starts of turning visitors into paying users.

Hope this helps.

I've just launched an MVP for a solution to this problem. https://cloak.software/

I've been using Earthly for about 6 months.

Earthly uses Dockerfile style syntax so I don't have to learn a new language, I can leverage my existing knowledge.

Another advantage is that in Earthly I can run up a docker compose within my pipeline so that I have selenium, envoy and postgres running for integration testing.

You can see my integration tests here https://github.com/purton-tech/cloak/blob/main/Earthfile#L14...

Is that possible in dagger?

Hi! Tailscalar here. This is very topical for me! Over the past 3 weeks I've been working with internal stakeholders to remove our SSO tax - the sso tax is a pet hate of mine. A couple of weeks ago we removed it from our pricing plan after my proposal was approved, and today I released a blog on our website to announce it more widely: https://tailscale.com/blog/sso-tax-cut

I knew of https://sso.tax (which we are not listed on but I did include in my blog), but didn't know there was another website too!

I'm not the person you've asked, but I'm somebody who has been purchasing SaaS/software for businesses large and small for years. My take:

1. If SSO and other basic modern security features are locked into "Enterprise" pricing tiers then the service is at the bottom of the list (see: https://sso.tax). I'd love to say instant disqualification but too many SaaS companies have it in their head that only wealthy enterprises use SSO, despite SSO platforms being widely available and some quite cheap to acquire and start using.

2. If I need to request a quote to start any kind of service to see what the product is about then I'm not likely to pursue it. Don't make me jump through hoops when I'm just trying to see if a product can fit my needs.

3. If license terms are too complex or easy to violate that's a hard pass. Infrastructure monitoring tools are a great example. The licensing is often per "device" or per monitored metric, and some vendors are very loose with their definition of "device". (Don't use LogicMonitor with k8s unless you like throwing money in the garbage can). Hard lessons learned.

4. If the only details I can find regarding how you secure your product are claims of SOC2 and ISO27001 certification then that's a very likely pass. Those controls are great to have, necessary even, but anyone who has had to work to meet those compliance objectives knows that they're much more about organization controls than they are product security. Give me an idea about how you protect data and whatnot on a security page somewhere, not an attestation that dev and prod are separate and you have logs.

On the side of the positives, outside of not hitting the negative marks, I value ease to work with, responsive and competent support, strong pre and post-sales solutions architecture and support/training (if the product is complex enough to warrant that), and supports SSO. I bring up SSO again because it's a hard requirement for SaaS purchases everywhere I go -- no SSO, no go. Social login is not a substitute and is highly undesired.

Hope this helps.

Don’t be shy, here’s the link: https://github.com/robchahin/sso-wall-of-shame/issues.

It sounds like you're unaware of why SSO is considered a security feature at all them, but it's covered right on the site: https://sso.tax/

It's to allow centralized access management. Stuff like firing someone and revoking their access from one platform instantly, instead running around and changing permissions in every tool manually. Or ensuring people in department A can't be invited to some platform for people in department B in order to limit information access.

SSO tax is predicated on the idea that the moment you outgrow the informal arrangements and liberal access, you're really a business. Seems pretty fair?

Last time I had to implement Okta integration for DocuSign at my employer it was absurdly expensive. If Google does this right then I’d be ever so happy.

DocuSign on the SSO Tax site: https://sso.tax/

There’s a strong, widespread objection to hiding security features behind a paywall: https://sso.tax/

If 2fa is the only way you can differentiate in order to force enterprises to pay, it’s better to have a fee for security than to die because you can’t make money… but broadly, as a security company, you should aim for maximum security for every user.

I totally understand. I'm aware of the SSO tax. It's just honestly a complex feature, with a significant maintenance and support burden, and I leaned making it EE so that it'd be worth all the effort to implement and maintain (i.e. I want it to be a new-positive feature for revenue). But if I could get help from other contributors, I'd be fine with SSO being a CE feature too.

Need to put them up for the SSO Wall of shame. https://sso.tax/