Conversation
Highlights

When Security Meets Modern Software Development: Smallstep’s Journey to Democratizing Complex Technology

Security infrastructure has always been complex, but what happens when you try to modernize it without breaking everything else? This question lies at the heart of Smallstep‘s journey, as revealed in a recent episode of Category Visionaries, where founder Mike Malone shared insights about building a security company that bridges traditional certificate management with modern software development practices.

The origin story of Smallstep stems from a fundamental tension in today’s software landscape. As Mike explains, the challenge emerged from his firsthand experience: “securing distributed systems in the context of modern software development… with Kanban and sort of that pace and scale of development, microservices like layering on security and having real strong security guarantees and compliance guarantees without breaking all of that sort of modern technology.”

Rather than just building another security tool, Smallstep took aim at a more nuanced problem: how to maintain robust security in an environment where development moves at breakneck speed. The traditional certificate management landscape wasn’t built for a world where, as Mike describes, “people don’t have just like a dozen internal certificates anymore. They have their kubernetes and their service meshes and their databases and all their VMs and microservices and Kafka and Elkstack and all of this distributed redis and kubernetes at multiple tiers.”

The company’s go-to-market strategy revolves around an open core model, but with a thoughtful twist. Mike’s candid assessment reveals both the opportunities and challenges: “it’s a marketing asset and it’s a feature for some enterprise customers to have an open source, an open core.” However, he notes that “maintaining open source is sort of thankless work” and describes it as “crappy product led because it sort of has some of the same characteristics as SaaS, like freemium, but with none of the bi-directional relationship and data that lets you actually optimize and pull people into a commercialization funnel.”

Their content marketing approach demonstrates an interesting departure from conventional playbooks. Instead of tightly controlled messaging, they’ve given their team “really broad mandate to just write about what they’re passionate about that’s in this space.” The results speak for themselves: “it turns out when you give people that sort of purview, you get really high quality content that’s really interesting and informative and it gets shared and it gets searched and people find us that way.”

What’s particularly notable about Smallstep’s approach is their focus on democratizing complex technology. As Mike puts it, “this certificate asymmetric cryptography, all this security stuff seems like it’s an area that a lot of smart software engineers shy away from and maybe don’t specialize in. It feels very baroque and obscure, and a lot of the tooling hasn’t helped with that.” By making this technology more accessible, they’re “actually making a contribution to the security of the Internet.”

The company has built a sophisticated commercial model that spans from “a free tier all the way up to a million dollars a year” with “over 100 customers taking advantage of various scale offerings on that platform.” This range allows them to serve different market segments while maintaining the integrity of their open source commitment.

Looking ahead, Smallstep is positioning itself for a larger transformation in enterprise security. Their focus extends beyond just managing certificates to “pursuing product vision in that direction” of making “enterprises and large software systems and the Internet as a whole is more secure and safer for everybody.”

The journey of Smallstep illustrates a crucial lesson for modern enterprise software companies: sometimes the most valuable innovation isn’t creating new technology, but rather making existing complex technology more accessible and aligned with modern development practices. As development cycles continue to accelerate and systems become more distributed, this approach to democratizing security infrastructure while maintaining its robustness could prove to be a winning formula.