Forem: Deepak Prabhakara

BoxyHQ - The must-have for your startup's next enterprise customer

Deepak Prabhakara — Thu, 20 Jul 2023 00:00:00 +0000

Add plug-and-play features to your SaaS product with BoxyHQ's product suite. Become enterprise-ready!

IntroductionIntro

BoxyHQ enables you to add plug-and-play enterprise-ready features to your SaaS product.

The WhyThey why

It initially started with identifying the pain of developers having a TON of responsibility — right from infrastructure to actually building the product.

And with the growing cybersecurity attacks, they need to start thinking about security as well.

Photo by FLY:D on Unsplash

[Cyber-crimes are predicted to cost $10.5 trillion annually by 2025]

The goal is to help smaller startups become enterprise-ready.

Because until there’s an enterprise client coming in, security is usually an afterthought.

But they (enterprise customers) are the ones who question your security posture, compliances and more — as a company.

[About 70% of development teams skip crucial security steps due to time pressures.]

That’s where BoxyHQ comes in.

But wait… What is enterprise-readiness?

In a nutshell, it’s being secure, scalable, stable, and easy to run in production.

According to Sama — Carlos Samame (Co-Founder), there are 2 paths for startups towards the need to be enterprise-ready:

Initially focused on smaller customers and now looking to expand.
Building a new product and targeting enterprise customers from Day 1.

But how do things look like from the enterprises’ end?

Enterprise customers are often apprehensive (concerned) about trusting startups vs. established businesses. Because the stakes are usually much higher.

They’re mainly looking for 2 things:

Your other enterprise customers (helps credibility)
Whether you follow the compliance requirements (key necessity)

They look for quite a few standards to be met in a solution provider 👇🏻

Source EnterpriseReady.io

Before you feel overwhelmed, he further adds that you don’t need to start building all of this, and focus on 3 key areas:

#### Customer obsession

Understand their current needs, pains, motivations, processes, and most importantly — whether the plenty of software they already use will work smoothly with yours.

#### Time to market

Invest in off-the-shelf enterprise readiness solutions that you can integrate into your SaaS app vs. spending months building in-house. Spend more time on your core product vs. non-core features.

#### Reduced engineering costs

Investing in external solutions saves developer time spent on coding, fixing bugs, and the overall learning curve.

“People’s time is more expensive than developer tools.”

A great way is to rely on open easily available open source solutions.

Source: Be enterprise-ready: 3 reasons not to build enterprise features!

The BoxyHQ suite — in the chronological order of release.

1. Open Source SAML Jackson

Yep, that’s the product’s name. Pulp Fiction fans get the reference but for others–

💡 Pulp Fiction is a 1994 American crime film written and directed by Quentin Tarantino. Samuel Jackson starred in a leading role.

SAML SSO was the first product created by Team BoxyHQ — pioneering their vision for enterprise readiness. (Launched on August 4, 2022)

SAML: Security Assertion Markup Language SSO: Single Sign-on

What does it do?

It offers an out-of-the-box solution for deploying SAML quickly and efficiently — helping your *enterprise customers manage access controls on their systems.

How does it work?

Just connect your product to BoxyHQ and everything else is managed for you!

BoxyHQ connects to almost every identity providers for you to go from the first line of code to fully support SAML in just a week!

What are its benefits?

Centralized management and increased security 🔒

Enable your customers to manage access control on their own systems so they can:

Have the right access
Prevent password sharing
Easily grant and revoke access as needed

Better user experience ✨

Just need to log in once to access all the external services on a dashboard with a single click. It’s simple and easy to use.

Saves users’ time
Improves your product’s UX

Reduces costs💲

All the account information is maintained and managed by the IdP vs. multiple services. This helps in saving costs.

(IdP is the identity provider — the single point that let its users access all the services from it)

“The idea behind SAML SSO is that by centralizing your access to an external system you can better manage access and permission as well as improve security.”

Aswin Venugopal, Senior Software Engineer

TL;DR

Without BoxyHQ’s SAML SSO, on the user side 😔

Without BoxyHQ

Spend a long time to build a SAML integration
Create integrations for each of your customer’s identity providers (IdP)
Spend time, energy, focus, and resources away from your core product

With BoxyHQ’S SAML SSO authentication 🤠

With BoxyHQ

Centralize management
Improve security
Enhance user experience
Increase productivity
Save time, reduce costs

On the solution provider’s side, it looks like:

Without BoxyHQ

With BoxyHQ

Here, you only have to connect your product with a direct integration to BoxyHQ and then it manages and connects you to all the IDPs. You can deploy SAML SSO with just a few lines of code!

🔗 The sources are linked here and here (official BoxyHQ blogs)

“Deepak (Co-Founder) himself helped us implement SSO SAML in cal.com and we’re more than happy about it! it’s great to finally see an open source project tackle enterprise-ready features!”

— Peer Richelsen, Co-Founder at Cal.com

Note: Team BoxyHQ recently re-launched the enhanced SAML SSO on Product Hunt! 🚀

2. Open Source Directory Sync

Organizations use directories from different providers to manage user access to organization resources.

BoxyHQ’s Directory Sync lets orgs activate and deactivate user accounts, create groups, and keep their app in sync with the user directory in real time.

💡 In an enterprise customer context, a directory is a central repository that holds information about employees, customers, and other resources in a company.

In simple words, you enable your customers to:

Have higher security standards
Centrally manage their user’s access lifecycle

It supports the SCIM 2.0 protocol

SCIM: System for Cross-domain Identity Management

“Directory Sync streamlines the user lifecycle management process by saving valuable organizational hours, creating a single truth source of the user identity data, and facilitating them to keep the data secure.”

-BoxyHQ Official Docs

Learn more: Examples & Resources (Directory Sync)

3. Open Source Audit Logs

BoxyHQ’s Audit Logs ‘Retraced’ offer your enterprise customers the ability to record and search events that happen on your application.

Note: Retraced was initially built by Replicated and has been enhanced by BoxyHQ.

They provide a detailed record of user actions, and can be used to monitor potential security breaches, compliance violations, and other issues.

“The world’s best SaaS companies offer detailed Audit Logs, your SaaS should too as you move into serving the enterprise segment.” -Vanshika Srivastava

Why are Audit Logs important?

For most companies, the ability to monitor the flow of data and be alerted to any breaches is super essential.

Audit logs help to pinpoint any misuse of information and ensure that data policies are followed ✅

This one simple API helps you become compliant fast, and ensure your customers get all the functionality and safety they need.

4. Admin Portal

Manage Enterprise SSO, Directory Sync, and Audit Logs products via an easy-to-use web interface.

It can help you streamline your workflows and increase productivity.

You can use the authentication method of your choice (Magic Link, Email and Passsword, SAML/OIDC Single-sign-on)

BoxyHQ’s future products (where relevant) will also be available in the Admin Portal.

To enable the Admin Portal, you need to deploy Jackson as a service.

5. Data Privacy Vault

In the day and age of high cyber-crime, and increasingly sensitive data– you need to protect your customer’s data and trust.

Privacy vault is BoxyHQ’s open-source solution to centralize, isolate, and govern all the sensitive data you collect.

With the Privacy Vault, you can:

Identify all the sensitive data from clients’ application database and move it to the vault.
Replace the sensitive data in their application database with (exchangeable) opaque tokens.
Gain control over where the sensitive data goes, who has access to it and for what duration.
Create access policies that adhere to data regulations and geographic regulations.
Get the ability to respond to DSRs (Data Subject Requests) from customers.

What users are saying 💬

“It let our team focus on what we do best (democratizing scheduling for everyone) without getting distracted by the needs of our enterprise customers. Did I mention it’s open-source and free?”

Super Tokens — An open-source authentication solution

“We at SuperTokens needed to provide SAML login to our users, and instead of building it from scratch, we found the perfect open source project — BoxyHQ!”

Media Features

Meet the Founders ✨

Deepak Prabhakara, CEO & Co-founder

Deepak has over 2 decades of experience in design, architecture and development of complex software products across different SaaS and mobile platforms.

Sama has 15+ years of experience working at tech companies across different business areas and continents.

The BoxyHQ Pledge 📜

“As long-time users and contributors to the open-source ecosystem, we want to do the right thing for the community. That means we will make sure that our core open-source code stays open. We will also strive to use open standards where possible. We want to collaborate with the community to build towards our vision to make security, compliance and privacy easy for developers so they can focus on their core product while being compliant...”

Learn more here: BoxyHQ pledges to keep our core open-source code open

What’s Next for BoxyHQ 🚀

You can sign up for the waitlist before August 1, and make the most of this limited-time offer.

Check out BoxyHQ’s GitHub page, official documentation, and Twitter profile. 🚀

And don’t forget to follow Scoutflo on Twitter if you haven’t already! ✨

We’re also active on LinkedIn 💙

Cover photo by Dan Nelson on Unsplash

The new era of Application Security: Security Building Blocks for Developers

Deepak Prabhakara — Mon, 10 Jul 2023 00:00:00 +0000

The new era of Application Security: Security Building Blocks for Developers

With the proliferation of data breaches and cyber-attacks, developers must take a proactive approach to security. BoxyHQ's Security Building Blocks for Developers are designed to help developers build and deploy secure applications with minimal effort and expertise.

In addition to their core products security teams are finding it hard to keep pace with new no-code and low-code apps that are being created in the company. The arrival of Generative AI and ChatGPT has complicated the landscape even further.

The importance of integrating robust security measures into software applications cannot be overstated. BoxyHQ, a security-focused platform for developers, is leading the way with its Security Building Blocks for Developers, inspired by the concept of Minimum Viable Security (MVS) championed by mvsp.dev.

BoxyHQ is set to revolutionize application security. Drawing insights from industry pioneers such as Twilio, Stripe, HashiCorp, and Snyk, BoxyHQ's open-source Security Building Blocks offer a comprehensive solution that empowers developers to build secure software products with ease and efficiency.

Building and Shipping Secure Software Products in Hours, Not Months

Building and shipping security features in hours instead of months is now a reality. In the fast-paced world of software development, time is of the essence. Traditional approaches to security often involve time-consuming and complex implementations. However, by embracing BoxyHQ's Security Building Blocks, developers can now build and ship secure software products in a fraction of the time it would take to develop these features from scratch. This not only saves valuable time but also accelerates time-to-market, giving businesses a competitive edge.

Democratizing Secure Development: Making Security Accessible to All

The developer community has long embraced the open-source movement. Open-source software fosters collaboration, innovation, and rapid evolution. By offering Security Building Blocks as open-source projects, BoxyHQ empowers developers to contribute, customize, and tailor security features to suit their specific needs. This flexibility not only enables developers to address unique requirements but also creates an ecosystem where best practices and security advancements are shared, benefiting the entire community. We hypothesize that in the future many of these security features will be a commodity, and will be implemented by any software product, not just the ones that need to be enterprise-grade.

Minimum Viable Security (MVS): Building a Strong Foundation

Photo by Shubham Dhage on Unsplash

Minimum Viable Security (MVS) is a concept focused on identifying and implementing the essential security measures necessary to protect an application from common threats. BoxyHQ embraces the principles of MVS and provides developers with Security Building Blocks that address these foundational security needs. By adopting an MVS approach, developers can prioritize the integration of critical security features, ensuring a solid foundation for their applications while minimizing unnecessary complexity and overhead.

Comprehensive Integration: Uniting Security Features for Maximum Effectiveness

BoxyHQ's Security Building Blocks integrate multiple security components, each designed to address a specific aspect of application security. By combining these features, developers can create a comprehensive security framework for their applications. Whether it's the secure authentication facilitated by the Enterprise Single Sign-On (SSO) product, the real-time synchronization provided by Directory Sync, the compliant logs generated by Audit Logs (Retraced), or the encrypted storage capabilities of the Data Privacy Vault (PII, PCI, PHI compliant), these components seamlessly work together to strengthen the overall security posture of applications.

Closing the Gap Between Compliance and Security

One of the key advantages of BoxyHQ is its ability to bridge the gap between compliance and security. With the increasing focus on cybersecurity vulnerabilities, compliance alone is not sufficient to protect against threats. BoxyHQ's comprehensive suite of open-source security components ensures that developers can not only meet compliance requirements but also implement robust security measures. By integrating these building blocks, businesses can confidently navigate the complex landscape of security and compliance, safeguarding their data and systems while staying ahead of potential threats. Aligned with this vision we consolidated a list of free awesome open-source developer-first security tools that includes security principles and controls relevant to popular compliance certifications. (like ISO27001, SOC2, MVSP, etc)

The security building blocks for developers are supported by extensive documentation, an admin portal for easy management, and customer support and advice for each customer's unique needs. BoxyHQ's products represent a significant step forward for developers looking to improve the security of their applications.

In conclusion, BoxyHQ aims to make a significant impact on the industry. By providing simple and efficient integrations for minimum viable security features, BoxyHQ is helping to ensure that developers and businesses of all sizes can protect their sensitive data and systems against threats, ultimately making the internet a safer place for everyone.

SSO "Wall of Shame" vs "Wall of Fame"

Deepak Prabhakara — Thu, 30 Mar 2023 00:00:00 +0000

Unless you have been living under a rock, you have probably heard of the SSO Wall of Shame. This is a list of vendors that treat single sign-on as a luxury feature, not a core security requirement. There have been numerous complaints regarding the companies that have made it onto this list, and rightfully so. In a downturn economy and in times when security and privacy are critical, many organizations see an opportunity to generate even more revenue.

This is a small example, listed in alphabetical order of some of the most well-known companies that have ended up on the “Wall of Shame” (see the screenshot below). You can find more information and the full list at sso.tax. It is clear that raising prices for enterprise SSO and other security features, such as Audit Logs (to track critical events), is just part of their revenue model.

But is this the right thing to do? It’s hard to judge from the outside, and clearly companies need to make a profit while showing growth, especially when you are backed by Venture Capital. Having said that, at BoxyHQ we believe that we can all do better (we are also Venture funded). Nonetheless, cybersecurity taxes should stop, and we should all focus on increasing our security posture and making a positive impact. Take for example, Hubspot charging 6300% more for SSO functionality! That is a clear example of how absurd and abusive some companies can be.

Now, we ask ourselves, how about the “Wall of Fame”? This is a separate list of companies that lead by example and don’t take advantage of their customer base. If you do a quick search, you will find some interesting companies listed. Grafana, Cal.com, and Sumo Logic, just to name a few.

To understand why startups normally lean this way, it’s important to consider the enterprise deal process. With RFPs, security questionnaires, and other compliance-related procedures, closing an enterprise deal becomes all-consuming for a startup. This can justify an enterprise pricing tier. Given a startups early evolution of products, , Enterprise SSO becomes an easy candidate to distinguish the pricing tier gap between charging SMBs and what they can charge enterprises. But building and maintaining SSO is expensive and time-consuming. SAML is not necessarily the easiest protocol implementation to get right. And add to this the customer support issues that come with onboarding large enterprise teams onto the product. But as a startup matures the product needs to have enough core enterprise features and not merely depend on undifferentiated features like SSO.

To take it full circle, it would be nice to see a full list of the SSO Wall of Fame. Then we could ensure support for the companies with integrity, who have clearly not been overtaken by greed. Unfortunately because of our bandwidth, we can not commit to full ownership of this initiative, but can offer some practical advice on how companies could start offering SSO pricing tiers for free or at a nominal price increase:

Charge for other core enterprise features instead of SSO. If your product is not quite to that level of maturity, please read on.
Instead of charging for SSO, charge for the security process’s that comes with enterprise deals. If a company wants you to go through its security and compliance process, rather pay a premium to enhance its security posture and reduce compliance risk from its vendors.
If that scenario isn’t possible then consider segmenting SSO pricing based on the number of users or seats. SMBs will not have a very large number of seats so this could be a possible way to separate your pricing.
If your Enterprise tier is not based on seats, a natural progression is to base pricing on usage.

We are trying to do our part by providing a free open–source enterprise-grade SSO (called SAML Jackson), that any developer, team, or organization can plug into with just a few lines of code. Check out the GitHub repo here. Feedback is much appreciated and a star will help us raise security awareness. 🙂

Stay safe, do good, and avoid the dark side of the SSO tax!

Exploring the open-source business model and how companies monetize it

Deepak Prabhakara — Mon, 13 Mar 2023 00:00:00 +0000

With the rise of open-source solutions and solution providers, one of the biggest questions asked is, how do businesses monetize while giving away the source code for free?

What is an open-source company?

An open-source company is an organization that develops software but makes the source code freely available to the public. This means that others can copy the code and engine, deploy it themselves, develop it, fix bugs and more. This allows the software not only to be widely accessible for free but also to evolve in a very collaborative way.

If everything is free then how can it be monetized?

We don't have to look very far to find examples of open-source companies that have become unicorns and continue to grow. Some great examples are Elastic ($608 million in revenue, 2021), HashiCorp ($320 million in revenue, 2021), and RedHat ($3.4 billion in revenue, 2021). All these companies operate an open-source business model but have huge revenues and valuations. This is what we are going to look at.

There are many different ways that open-source companies can monetize - ultimately this comes down to the goals of the business. We are going to explore a few of the options available but keep in mind that these are just some of the ways it can be done and open-source continues to develop and grow at a rapid pace.

Donations

One of the most popular models is to offer the source code and documentation completely free and let its users donate at their discretion. This is normally done for smaller projects and donations can be solicited in various ways, such as a button on the website, a link in a newsletter, a Github donation, or one that I like - buymeacoffee.com. The latter allows you to embed an option into your website or interface and donate at the value of a coffee. Although donations are a great way to monetize some projects, this method is not feasible for bigger companies that have complex solutions and large overheads.

Support

Paid Support or Premium Care, as it’s commonly termed, is a very common business model that has done very well for larger commercial companies. This model allows users to still access the code and deploy it for free but also enables an option for companies/users to pay for additional support. This monetized plan often includes perks such as help deploying the software, customization and ongoing support for general use. Just because the source code of a project is open, it doesn’t mean it's easy to deploy or manage. This is where companies such as Red Hat have been successful and use this particular model to great effect.

The benefits of this model are, as Red Hat has demonstrated, you can build a revenue-generating company that can be scaled effectively. The drawback is, some companies only make the open-source code available with a paid plan, which goes against the open-source ethos. To truly use this model effectively, companies should offer the source code for free regardless of an option for additional support.

Photo by Christine Roy on Unsplash

Licensing

Open-source companies can also license their open-source software, which applies rules to how their software can be used, edited, distributed and copied. Some open-source companies will allow individuals and smaller organizations to use their software for free while charging larger companies a fee to deploy it. Normally a license fee comes with additional benefits, such as support and training, etc. There are also two main types of licensing that open-source companies can utilize.

-Copyleft license This is a type of license in which, if code is copied and modified it still retains the original license terms

-Permissive license This grants licenses based on different needs and is much more diverse.

Licensing and open-source licensing is a huge topic in itself and Snyk has done a fantastic job at explaining this. You can read more about it here.

Cloud-hosted Services

Finally, the last model we will look at is hosting. While open-source organizations can still offer their code for free, some may offer a hosted version which is much easier to set up and maintain. This means customers can effectively use their product like any other SaaS and they typically charge on a subscription basis.

The hosted model is very popular as it now allows quick deployment but also reduces the level of maintenance and custom work developers need to carry out. The main limitation of offering a hosted model is, it will require the open-source company to offer web hosting and everything that goes along with it. This can require an enormous amount of maintenance and development.

The open-core model

The open core model is when a company releases the core software for anyone to use but then also controls things such as the roadmap and what commits are accepted into it. By doing this, the company can also charge for extra features which customers may want. Some examples could be functionality features or even security/compliance modules. This model has been very popular with open-source companies and is widely seen as a very fair way to operate. It is also very important to make sure that the open-core has enough value that developers will rally around the product from the get-go. Companies that offer very little value from the free version and charge for additional features, do not see great traction in the open-source community.

Controversial opinion

I personally believe that OSS is not a business model but a development model. We are debating this internally, so we would love to hear your feedback and opinions on this subject.

Summary

Although open-source code is widely free and available to use, it has become a popular choice for companies who also want to commercialize. The benefits of open-source are vast and with the variety of business models we discussed you can understand the various options to create a successful, revenue-generating business.

Why does your SaaS application need audit logs?

Deepak Prabhakara — Wed, 18 Jan 2023 00:00:00 +0000

Audit logs are an important tool for keeping track of activity within your SaaS application. These logs provide a detailed record of the actions taken by users and can be used to monitor for potential security breaches, compliance violations, and other issues. Let’s explore some of the key reasons why you need audit logs for your SaaS app.

Compliance: Many industries are subject to strict regulations that require organizations to maintain detailed records of their activities. Audit logs can be used to demonstrate compliance with these regulations, and to provide evidence in the event of an audit or investigation.
Cyber Insurance: Obtaining cyber insurance usually comes with requirements around recording and retaining audit logs. These logs help with forensics during insurance claims, otherwise making investigation expensive and time-consuming for both insurers and the affected companies.
Security: Audit logs can be used to detect and prevent security breaches. By monitoring for suspicious activity, such as repeated failed login attempts or changes to sensitive data, you can quickly identify and respond to potential threats. Additionally, audit logs can be used to reconstruct the events leading up to a security incident, which can help you identify the cause and prevent similar incidents in the future.
Accountability: Audit logs make it possible to track the actions of individual users, which can be useful for identifying issues such as data breaches, compliance violations, and other problems. This information can be used to hold users accountable for their actions and to help you identify and address any issues that arise.
Troubleshooting: Audit logs can be used to identify and diagnose issues that occur within your SaaS application. By reviewing the logs, you can see exactly what happened when a problem occurred, which can help you quickly identify the root cause and develop a solution.
Auditing: Audit logs provide a record of the activities that occur within your SaaS application, which can be useful for internal audits. This information can be used to assess the effectiveness of your security controls and identify areas for improvement.

Audit logs are a powerful tool that can be used to improve the security, compliance, and overall performance of your SaaS application. By keeping detailed records of user activity, you can monitor for potential issues and quickly respond to problems as they arise. If your SaaS app doesn't have audit logs, you should consider implementing them as soon as possible to ensure the safety and security of your data and users. It is also becoming an important part of enterprise readiness.

Introducing our Audit Logs product

We are extremely thrilled to introduce our new Audit Logs product in collaboration with our friends at Replicated. Retraced is a fully open-source audit log service that comes with an embeddable UI that's easily deployed to an infrastructure of your choice. We have spent years building and fine-tuning audit logs systems and think we have finally discovered an optimal solution to this nagging problem.

It’s yet another important enterprise readiness feature to tick as you scale your offerings to the enterprise segment and complements our Enterprise SSO and Directory Sync products to give you a one-stop solution. Come check out the product at our Github repo, we’d love to hear your feedback.

The impact of open source on cybersecurity

Deepak Prabhakara — Mon, 14 Nov 2022 16:10:02 +0000

Hey community, I’m trying to research the use of open-source components in the security space and figured this would be the best place to start.

Had a few questions that I wanted to ask

What is your process for approving an open-source solution?
Does your company secure it’s SDLC (software development life cycle)?
What tools do you use to keep your SDLC secure?
In your opinion, what are the biggest pros and cons of using open-source tools in cybersecurity? Appreciate your time.

How low-code solutions are changing how we build products and workflows

Deepak Prabhakara — Tue, 25 Oct 2022 00:00:00 +0000

We have all heard the terms low-code or no-code being thrown around as buzzwords over the last few years but what does this mean and how is it changing the way businesses and individuals solve problems? I am going to use our product SAML Jackson to explain how low-code solutions are changing the way we build products.

Low-code solutions are essentially products that provide you with building blocks so instead of building a solution from scratch you can simply combine the relevant building blocks to make a relevant solution for your business. Let’s take BoxyHQ and our SAML Jackson product as an example. Without the low-code product (SAML Jackson) the alternative for businesses would be to build a custom SAML integration which takes months and a ton of resources. This sounds ridiculous tho right? With the number of businesses who are deploying SAML for their customer, there must be some reusable parts that can be shared to reduce the time it takes each business. This is where low-code products like SAML Jackson come in. By building the SAML integrations as a reusable component, businesses only need to create one simple connection to the SAML Jackson to deploy SAML.

Still with me? If not, don't worry. Essentially what low-code is taking advantage of is building in a way that can be shared so the amount of custom building is limited (or low) for common use cases.

So what is the difference between low-code and no-code?

Well while a lot of people would still group them together, the obvious difference is that low-code still needs some code to integrate the building blocks, whereas no-code doesn't. If we look at a product like Zapier for example, that requires no code at all and a non-technical person can use visual blocks to connect different data sources and outputs to build workflows. An example of this is as a non-technical person I can take data from forms such as Hubspot forms that are submitted on our website and create notifications for the team on Slack. Doing all of this without code and just using Zapier is what makes this a no-code solution.

Why is low-code so important?

Lastly, let's take a quick look at the main benefits of having solid DevSecOps in place

Speed speed speed
Cost

Are there any negatives to using low-code and no-code platforms?

The only main negative of these solutions I have identified is that because of the ease and speed of the platforms it can create a lack of transparency and some shadow IT as lots of people in the organization can be building solutions and data can be moving around without accountability. However, with the right IT processes and policies in place, this can be easily fixed.

Why are we so excited about low-code and no-code?

We are very excited about low-code solutions because it drives innovation! We at BoxyHQ are building low-code solutions for enterprises to implement the important but standard features they need to be competitive and compliant with ease so they can focus on what they do best which is innovate. We have some great clients already and can’t wait to see what they do next without the hassle of building standard features such as SSO and Directory Sync.

Developer-first Security sucks! Why it is essential to automate product security?

Deepak Prabhakara — Tue, 26 Jul 2022 00:00:00 +0000

Let’s start with some facts to understand why it sucks!

On one hand:

Cybercrime went up 600% due to the COVID-19 Pandemic
Data breaches and cyber attacks in 2021 were 5.1 billion breached records, this is 11% more than in 2020
79% of companies have experienced at least one cloud data breach in the past 18 months
Software supply chain attacks jumped over 300% in 2021
It is estimated that worldwide, cyber crimes will cost $10.5 trillion annually by 2025.

(Data from Purplesec, IT Governance, VentureBeat)

On the other hand:

70% of development teams always or frequently skip security steps due to time pressures when completing projects
Almost 60% of devs are releasing code 2x faster, thanks to DevOps.
In 2021, only 20% of organizations have fully integrated security into the development
Security has low priority. 67% of developers surveyed by Secure Code Warrior admitted that they routinely left known vulnerabilities and exploits in their code
Github expects the number of software developers using its platform (56 million in 2020), to grow to 100 million developers in 2025

(Invicti Security, Gitlab, Github, VentureBeat)

Security vs Developers

Security teams focus on planning secure IT environments, but developers are asked to focus on productivity while they are also tasked with implementing these security plans. The main issue is that developers are often left out of security planning processes, creating a strained relationship between these two teams.

It is important to build a healthy relationship where trust, communication, and collaboration are key to moving toward the organization’s north star. But traditional security teams sometimes see themselves as inspectors of the developer's work. And that attitude needs to change - “when you’re a hammer, everything is a nail”.

Did you know that in “Gartner's Top Strategic Technology Trends for 2022: Cybersecurity Mesh”, the word "developer" is not included not even once? We were shocked about it; developers need to have a leading role in cybersecurity!

It’s “Shift Left Security” time!

With shift left security we mean moving security sooner in the development process. Teams should provide developers with the right tools to do their job securely; this is why it is essential to automate product security.

But most of the new security solutions are focused on selling to the CISOs and their security teams, maybe because they are the ones with the budget for “security”; but what about developers? Most of their new solutions are oriented toward productivity, which makes sense since we live in an agile world, but what if there were new developer-first security solutions? Well, it is about time; a recent survey from Forrester shows that last year 27% of organizations had their development teams holding the budget for application security tools and that number has increased to 37% this year.

Developer-first security Tools

While some security tools for developers have started to appear, it is still early days. The ecosystem needs solutions to automate security for developers and most importantly, that is reliable. Our hypothesis is that the most important products will come from the open-source community; they have a genuine interest in supporting and empowering developers.

We are consolidating a list of reliable open source developer-first security tools for security, if you know of a project we should consider, or if you would like to have access to this list, please send me an email: sama@boxyhq.com or/and help us spread the word! 🙌

Be enterprise-ready: Three reasons not to build enterprise features!

Deepak Prabhakara — Tue, 19 Jul 2022 00:00:00 +0000

If you are thinking about building features to be enterprise-ready, there are typically two paths that brought you here:

Your team has initially focused on smaller customers and is now looking to expand, or
Your team is building a new product and targeting enterprise customers from day 1

Either way, you need to be aware that selling to enterprises is super exciting, especially if you like to play golf and you are ok with a long sales cycle - it could easily take you up to three years to close a deal.

Enterprises can be scared to give startups a chance and startups often lose out to more established businesses. However, there are two great ways to make sure your business doesn't miss out:

List of other enterprise customers (“show me more logos, we are not a guinea pig”)
Compliance requirements (“a checklist to show my boss you are safe”)

But what is enterprise readiness? From a product perspective, EnterpriseReady.io identified common features that set enterprise software apart. You can do a free self-assessment here. The basics mean that your business meets the standards that enterprises look for in solution providers.

Now, the good news is that to be enterprise-ready you don’t need to build these common undifferentiated features which can drain your resources and bank account. Here is why:

Customer Obsession – You need to forget about product development and narrow your attention to customer development. You need to talk to potential enterprise customers and understand their current needs, pains, motivations, processes, etc. Remember that they’ve got plenty of software they already depend on that will need to work smoothly with yours. On top of learning how to navigate the enterprise, you need to identify Infosec barriers and consider how to mitigate them; if your solution needs to process internal data, things will be more complex.
Time to market – Instead of spending months building in-house enterprise-grade features, there are off-the-shelf enterprise readiness solutions that you can integrate into your SaaS app with just a few lines of code. There is no need to wait months to build Single Sign-On (SSO), Directory Sync, Audit Logs, Privacy Vault, and other boring stuff that enterprises ask for anymore, now you could plug them within hours. And your team can spend more time building your core product instead of non-core features that won’t add value to your customers’ main needs.
Cut engineering costs – Out-of-the-box solutions will help your company save developers time. If you consider the learning curve, coding, fixing bugs, and all the hassle that your tech team needs to go through, you will realize that people’s time is more expensive than developer tools. And the good news is that there are reliable open source solutions that you could use at no cost. Free and trustworthy? That’s the beauty of open source communities. Self-hosting these solutions will allow your company to maintain a level of control that will simplify things if you need to be certified (SOC2, ISO 27001, HIPAA, etc).

Here are 3 open-source solutions that could be interesting for you - BoxyHQ ( disclaimer, I'm a Co-Founder here ), Supertokens, and Oso. There are plenty of other solutions that are relevant, we are building a list and would love to learn about other projects you use, please share them with me.

Let’s be sincere, will your engineers focus on building the best SAML SSO feature or will they just focus on checking the box? Compliance security could be expensive in the long term when working with large enterprises. Especially if things go wrong because being compliant doesn’t mean your SaaS app is unhackable.

Remember that not all enterprises are the same. But working with a few design partners will help your team to define an efficient product roadmap, build a robust go-to-market strategy, and you will close more enterprise deals.

Deals, deals, deals!

If you know anyone that needs to build enterprise features we would love to hear from them and see how could we help, please feel free to share my email: sama@boxyhq.com - Thank you!

Understanding SAML SSO, the basics from the solution provider's side

Deepak Prabhakara — Thu, 30 Jun 2022 00:00:00 +0000

This article follows my first article in which I explain the basics of SAML from the users' side. If you haven't read that one already I would recommend reading that one first here. In this article, we are going to take a look at what SAML authentication and setup look like from the solution providers' perspective.

If you are a B2B solutions provider and you plan to have enterprise customers they will likely ask that your product supports SAML SSO. This is because the customer will already be using an IDP to manage user access and security to their services. Anything outside this will be a risk and not fit into their user's workflows.

Most larger solution providers have already invested a lot of time and money into building SAML integrations with IDP providers but this leaves smaller competitors with less time and resources at a disadvantage as they often haven't been able to prioritize enterprise security features over the core product build.

The main reason why smaller companies don’t implement SAML as part of the standard build is that it traditionally takes a long time as they have to build a custom integration with each IDP provider their customers use. Well, this is now an old issue because we have created BoxyHQ which allows you to connect to our free product with one single integration that then connects to all the IDPs for you! Let's take a look at what the integrations with and without BoxyHQ look like first.

In the diagram above we can see what it looks like when you build a custom SAML integration with each IDP. As you can see for each IDP you have to connect all the instances of your product and build a unique integration. This can take months and take the focus away from your team building your core product. We believe that enterprise readiness should be accessible and easy for businesses of all sizes so we built BoxyHQ. Let's see what that looks like.

As you can see from the image above with BoxyHQ you only have to connect your product with a straightforward integration to BoxyHQ and then we manage and connect you to all the IDPs! It is that simple and you can deploy SAML SSO for your clients in as little as 8 days. We are also open source and free so you don't need to worry about big maintenance bills, we will even offer you custom support during the integration.

If you are interested in becoming enterprise-ready without the hassle then let's chat! You can book a free consultation call and chat with our CEO about how we can help. Let's start the journey together.

Understanding SAML SSO, the basics from the user side

Deepak Prabhakara — Thu, 30 Jun 2022 00:00:00 +0000

I have always worked in tech, so have always needed to understand the technical nature of the products we are building. This process has always been over-complicated for me so I now always try to write a guide for non-technical people like me. It turns out that once you understand it you can explain it to other non-technical people much easier! So here we go as I try to explain SAML (Security Assertion Markup Language) SSO (single sign-on) and why BoxyHQ makes it so easy to implement. Firstly you have probably heard of not only SAML but OAuth 2.0 and OIDC, these are all protocols that achieve the same result of providing SSO. There are a few nuances but those are out of scope for this article to keep things simple.

Let's start with what SAML SSO is and what it does. An example of SAML SSO in action would be a user in your company signs into a single dashboard and inside that dashboard, they have all the icons for the external services they use such as their CRM (Hubspot) and accounting software (Xero). The user can now just log in to any of their services by clicking on them rather than logging into each one individually.

But how does this work? Well, the idea behind SAML SSO is that by centralizing your access to an external system you can better manage access and permission as well as improve security. So in our example, the dashboard that allowed the user to just click an icon and log in was SAML in action. Because the company has connected to its external servicing using SAML it can now let its users access all the services from a single point. This single point of access is known as the IdP (Identity Provider) which authenticates the access to all the other services via SAML.

The diagrams below show how this access flow would work with and without SAML:

In the diagram above we can see that the company is not using SAML so the user has to log into each of the services with an individual username and password. The username and password are managed by the service provider and access is also managed via an admin user on the service provider's side. The user must be given aces to each of the services from each of the services and remember the login details for each one.

In the image above we can see that the company is using an IdP such as Okta so the user simply has to log in once and then can access all the external services from a single dashboard. This also means that the company admins can manage access to the different services as they control the access directly from their IdP.

Now, remember that this is just a high-level overview of SAML and the technical aspects behind the scenes can get a lot more complicated.

We have been looking at SAML from a company user's perspective but it's also important to remember that these service providers also have to build a SAML integration to enable them to connect to their clients’ IdPs. This can be a very long and time-consuming process for service providers and this is where BoxyHQ comes in. Instead of service providers building a custom integration for each IdP their customers use which can take months, the service providers can use BoxyHQ and have all the connections to IdPs they need with a single integration! You can be SAML-ready in as little as 8 days! To understand how this looks check out my other blog here.

So what are the main benefits of SAML? Here are three of the most important ones I have identified.

Increased Security

SAML is at its heart a security standard and as it provides a single point of authentication that takes place in a secure environment it adds an extra layer of security to your service that most enterprise customers will ask for.

Improved user experience

As a user using SAML is very simple and pleasant to use as you only have to log in once and then you can access all your external services on a dashboard with a single click. This saves the user time and makes their overall experience of your product better.

Reduces cost

Without SAML you have to maintain account information across multiple services but when you use SAML this is all managed by the IdP.

BoxyHQ is open source and our SAML SSO product, SAML Jackson is just the first product we have built to help companies become enterprise-ready. If you are interested in discussing your authentication strategy or deploying SAML SSO you can book a call with our CEO here to discuss how we can support you.

I hope you have found this high-level explanation of SAML and its use cases helpful. If you have any questions please don't hesitate to reach out to us on our live chat on our website https://boxyhq.com/

How early-stage startups should sell to enterprises

Deepak Prabhakara — Mon, 21 Feb 2022 00:00:00 +0000

You have decided to quit your job and start something on your own, congratulations! Welcome to a new way of living, as our little green friend told us some years ago “do or do not, there is no try”. Resilience and perseverance will be your two new best friends now; we all know that starting a company is not hard at all, but something hard at the beginning of the journey is finding product-market fit, especially if you are selling to enterprises (if you are an open-source founder, make sure you prioritize project-community fit first).

Photo by Mulyadi on Unsplash

Having worked for companies like Amazon Web Services & O2-Telefónica connecting enterprises with startups around the world, there are some best practices that I would like to share. We just have to remember that enterprises are conformed by groups of people, and every person is different. So please, don’t expect the secret sauce or the “right way” to do it. Even though each case will be unique, always look for the patterns of what works best for your company. I like to use the process DIA (Discover – Imagine – Act) to overcome challenges, so let me take you through it.

Discover

First, you have to understand the problem that you are solving. Is it really a problem or are you just in love with a good idea? Asking many times “why” will help you understand the hidden problem (the real one), and it will allow you to understand the needs that the enterprise has. Once you understand the needs of the enterprise, it is time to focus on understanding the needs of your user and your buyer, most of the time these are two different stakeholders within the organization. Is the need of the user a priority for the buyer, or is it just a distraction? You will see that in some organizations they are aligned and in others, they cannot even stand each other; so you must take the time to understand the dynamics between these stakeholders, and the culture of the enterprise itself (how they make decisions).

Sales cycles are indeed long if you look at them from a startup’s point of view. Remember that this is the standard speed for enterprises. Startups speak AGILE and Enterprises speak SECURITY, and for many people, these two terms can’t go together (don’t worry, we are proving them wrong @BoxyHQ). Enterprises have got plenty of software they already depend on that needs to work with whatever your product can do for them. Their technology is usually old, I have seen many enterprises with Frankensteins, they think they need to create a third leg to run faster and they end up building unnecessary technologies that affect the quality and the speed of their solutions. You need to focus on the cost of the enterprise (time and resources) to integrate your solution, and to do that you have to make sure that the impact is big enough to be worth it.

To make sure the impact you are generating is relevant to the enterprises focus on a few potential customers, as Jason Lemkin mentions “Almost all big companies now have innovation departments of some sort, as do many divisions and groups. The general idea is to bring in 1–2 new vendors a year that don’t risk taking the core business down but could have a material impact on the bottom line. If you truly can change the way they do business, you can often get a meeting. I’ve done this in both my start-ups in the earliest days with 10+ F500 companies in the first 90 days.”

This Discovery stage is also perfect to understand what your solution needs to have to be compliant; security is key for them. Startups that are not compliant with the enterprises’ requirements could delay the sales cycle, or what is worse they could lose the deal.

Imagine

With all the information that you now have, it is time to visualize the future. Does your solution need some changes? Do you need new features to be compliant? Or could it be that maybe the enterprise doesn’t need all the features that you had in mind? Take some time to readjust your product as necessary, including how you are going to package it and how you are going to distribute it. Apply all the insights collected in the Discovery stage to test, measure, and iterate.

A common error that I have seen from startups is not focusing on selecting the right partners, and just moving forward with inbound opportunities. Some of them could be good but overall is a distraction to say yes to anyone that wants to resell your solution, you need to plan ahead.

Talking about planning, once you know who your internal sponsor is you need to facilitate the job for them. That is the person that will take your fights internally, so make sure you are giving them the right tools. If they see two concerns about integrating your solution, you should think of additional concerns and imagine how to mitigate each of them. You need to train your sponsor for unexpected scenarios that the decision committee will bring. Usually, enterprises ask for a “request for proposal” (RFP), the more you know about it, the better you will be prepared.

As an imagination exercise, I love Amazon’s Working Backwards process and the PRFAQ - you can learn more about it here. It is helpful to visualize the impact you aim to have and work backwards from your customer needs to create a solution. It is similar to the Design Thinking process, but the PRFAQ adds the manifestation piece.

Act

Now is the time to act! But be careful, another mistake that many startups make is not executing at the right time, they spend too much time thinking (doing research) or they reach out to enterprises before making sure they are ready, burning your bridges. Timing is going to be key for you.

They need to trust you and your solution, every contact point is an opportunity for them to trust you, so make sure to go to these meetings well prepared, doing the right questions but at the same time with some insights on the market, their competitors, technologies, etc. You should be an expert in your niche but at the same time, you should be smart enough to listen. The more you know about them, the better you can adapt your solution and at the same time influence them.

Make sure you have the right metrics for your success cases, it doesn’t matter if you were selling to SMEs before or if you already had a few Proof of Concepts (POCs) with enterprises. Large companies don’t want to feel they are a guinea pig, if you did a POC and you didn’t move forward afterward most executives will not see it as unsuccessful, period.

Be patient, agile enterprises could spend between 6 to 12 months in conversations before signing an agreement, but many could take years (I’ve seen one company spending 3+ years). While you are waiting, make sure you are at the top of their mind, always adding value, not asking for unnecessary coffees. Key people will resign, will get fired, will change roles, so make sure you find a way to navigate these transitions, you don’t want to start from scratch.

Each enterprise is a different world, and there are more things you will find out while spending time with them, but I hope you find this blog post insightful. If you have any comments or questions you would like to discuss, please feel free to reach out. We have free Enterprise-Ready office hours to help startups be compliant and accelerate their sales cycle with enterprises.

Forem: Deepak Prabhakara

BoxyHQ - The must-have for your startup's next enterprise customer

Introduction​Intro

The WhyThey why​

But wait… What is enterprise-readiness?​

They’re mainly looking for 2 things:​

The BoxyHQ suite — in the chronological order of release.​

1. Open Source SAML Jackson​

What does it do?​

How does it work?​

What are its benefits?​

Centralized management and increased security 🔒​

Better user experience ✨​

Reduces cost​s💲​

TL;DR​

Without BoxyHQ’s SAML SSO, on the user side 😔​

With BoxyHQ’S SAML SSO authentication 🤠​

On the solution provider’s side, it looks like:​

2. Open Source Directory Sync​

In simple words, you enable your customers to:​

3. Open Source Audit Logs​

Why are Audit Logs important?​

4. Admin Portal​

5. Data Privacy Vault​

With the Privacy Vault, you can:​

What users are saying 💬​

Meet the Founders ✨​

The BoxyHQ Pledge 📜​

What’s Next for BoxyHQ 🚀​

The new era of Application Security: Security Building Blocks for Developers

The new era of Application Security: Security Building Blocks for Developers​

Building and Shipping Secure Software Products in Hours, Not Months​

Democratizing Secure Development: Making Security Accessible to All​

Minimum Viable Security (MVS): Building a Strong Foundation​

Comprehensive Integration: Uniting Security Features for Maximum Effectiveness​

Closing the Gap Between Compliance and Security​

SSO "Wall of Shame" vs "Wall of Fame"

Exploring the open-source business model and how companies monetize it

What is an open-source company?​

If everything is free then how can it be monetized?​

Donations​

Support​

Licensing​

Cloud-hosted Services​

The open-core model​

Controversial opinion​

Summary​

Why does your SaaS application need audit logs?

Introducing our Audit Logs product​

The impact of open source on cybersecurity

How low-code solutions are changing how we build products and workflows

So what is the difference between low-code and no-code?​

Why is low-code so important?​

Are there any negatives to using low-code and no-code platforms?​

Why are we so excited about low-code and no-code?​

Developer-first Security sucks! Why it is essential to automate product security?

Be enterprise-ready: Three reasons not to build enterprise features!

Understanding SAML SSO, the basics from the solution provider's side

Understanding SAML SSO, the basics from the user side

Increased Security​

Improved user experience​

Reduces cost​

How early-stage startups should sell to enterprises

Discover​

Imagine​

Act​

IntroductionIntro

The WhyThey why

But wait… What is enterprise-readiness?

They’re mainly looking for 2 things:

The BoxyHQ suite — in the chronological order of release.

1. Open Source SAML Jackson

What does it do?

How does it work?

What are its benefits?

Centralized management and increased security 🔒

Better user experience ✨

Reduces costs💲

TL;DR

Without BoxyHQ’s SAML SSO, on the user side 😔

With BoxyHQ’S SAML SSO authentication 🤠

On the solution provider’s side, it looks like:

2. Open Source Directory Sync

In simple words, you enable your customers to:

3. Open Source Audit Logs

Why are Audit Logs important?

4. Admin Portal

5. Data Privacy Vault

With the Privacy Vault, you can:

What users are saying 💬

Meet the Founders ✨

The BoxyHQ Pledge 📜

What’s Next for BoxyHQ 🚀

The new era of Application Security: Security Building Blocks for Developers

Building and Shipping Secure Software Products in Hours, Not Months

Democratizing Secure Development: Making Security Accessible to All

Minimum Viable Security (MVS): Building a Strong Foundation

Comprehensive Integration: Uniting Security Features for Maximum Effectiveness

Closing the Gap Between Compliance and Security

What is an open-source company?

If everything is free then how can it be monetized?

Donations

Support

Licensing

Cloud-hosted Services

The open-core model

Controversial opinion

Summary

Introducing our Audit Logs product

So what is the difference between low-code and no-code?

Why is low-code so important?

Are there any negatives to using low-code and no-code platforms?

Why are we so excited about low-code and no-code?

Increased Security

Improved user experience

Reduces cost

Discover

Imagine

Act