Having had to rip out Auth0 and similar products and replace them with in-house OAuth/SSO solutions that actually work and can be fully customized at several B2B SaaS companies, I find this claim very dubious.
Also, many enterprise clients will want SOC-2, in which case you can't really ducktape things together. Everything has to be designed from the ground up with enterprise and security in mind.
I might have voted it up but those stupid memes drag this article down to a low level.
It is a bad trend. Memes are one thing... Animated ones are a way of saying "Look at me, not the content".
EDIT for extra observation: I blocked them in uBlock, which was nice. However, Reader mode in Firefox has them! And you can't block element in reader mode. Perhaps "disable animated GIFs" needs to be a checkbox for that feature in Firefox.
We wrote about some of the broader flexibility features on our blog as well – https://staysaasy.com/product/2022/02/19/enterprise-selling-...
From our side, we have started with these features since we have seen they are common pain for early-stage startups, but in terms of our vision, we are focusing on developer-first security tools. And we believe that there are many opportunities to help close the gap between compliance and security.
The developer-first security angle is interesting – not sure if you include this in your categorization of security, but what I most frequently see SaaS companies / developers struggling with is data governance. For example, ensuring that they can comply with GDPR or CCPA deletion requests, store data in local geos, etc. A lot of this gets built by SaaS companies in-house.
The flexibility piece is different but comes up in sales more IME. Essentially every CRUD action in an enterprise SaaS app ought to be logged and accessible by API (which creates the same root problem of requiring a lot of developer time). But it manifests very differently in sales cycles from complying w/ GDPR:
* Regulatory compliance is often more of a box checking exercise for buyers (like SOC2)
* Having flexibility to log and manipulate everything via API is often a line-by-line evaluation of "can you meet X use case that we have for data integration" or "can you handle Y risk that we're worried about"
Good luck building Boxy!
Small organisations are more willing to change processes to match your application than large companies, particularly if your process hasn’t been battle tested in other large organisations.
We are initially focused on common undifferentiated enterprise features, but this is just the first step, we have broader plans for developer-first security tools.
It used to be Shared Controls Audits, now its SOC2 Type 2, tomorrow it will be HiTrust or combinations of SOC2 and ISO controls.
This has been getting more arduous every year for the last 10 years, I don't see it reversing anytime soon.
As a startup, you will be out of business by the time you meet their requirements, or could have landed other deals.
------------------------------------
This is somewhat tangential, but a really good "emotional transfer moment":
This is exactly how some people feel about government regulation - this emotion, right here - that it's arduous, stifles innovation, hurts startups trying to get off the ground with a shoestring budget, and just gets worse every year.
(now, of course, the thing that those people need to understand is that some amount of regulation is necessary. but, the thing that other people need to understand is that just because some amount of regulation is necessary, doesn't mean that you can be loose with it and allow it to metasize - law needs to be written with the same care and eye toward the future as code, and then also like code, needs to be refactored to reduce "tech debt" and keep it sane. this, currently, does not happen, and virtually nobody advocates for it)
(ironically, we have way more leverage over what kinds of regulations the government puts in place than over the effective regulations like SOC2/HiTrust that are "enacted" on clients of larger companies. not sure what to do about that one...)
I think its similar to running a bank, if you cannot protect the value (money) then you are not really a good bank. The problem is people have been pretending they are not a bank and trying to skirt protecting their customers for the better part of 20 years, especially in SaaS.
It has some parallels to earlier initiatives like PCI DSS for payment cards which effectively said "If you can't do this list of requirements, then you'll have to delegate the sensitive stuff to someone who can", ensuring that every mom&pop pizza shop doesn't have a full list of their customers credit card numbers unencrypted on a publicly exposed database. It doesn't prevent all breaches, of course, but it did make them fewer.
The reason being: What happens if you get struck by a bus? Your business dies overnight (or until the hosting bill doesn't get paid) and now your customers are screwed.
Many of the controls are about what happens when staff depart, both planned and unplanned? What is the power structure in the org? How do you prevent employees from damaging your business operations?
Resilience is important to any enterprise, and many audits now evaluate how hardened your business is.
Maybe a morbid startup idea of "I'll ensure business continuity if you die so you can pass SOC2" lol
There are a few tools out there like Elsa and Microsoft Rules Engine that stay in the backend, but are still fairly rudimentary in nature. So far as I know there's no "plotly" or similar A-tier framework that solves this problem for workflow. Most groups that have done it instantly monetize it with their own front end (Asana, Monday.com, etc.) which makes it difficult to justify the effort to integrate if you are going for a lighter weight application. Hope that helps clarify!
https://www.enterpriseready.io/
It's not a product, just a list of things to consider. (not affiliated, saw it recently, and thought it was cool).
