Overcoming Secrets Sprawl: How Whatnot Accelerated Development with Doppler

Customer Background

Whatnot, a dynamic live shopping platform, is transforming the e-commerce experience.

With daily live stream auctions, it provides a unique space for a growing community to buy, sell and connect around the unique items they love. Powered by advanced technology and a zest for connecting enthusiasts, Whatnot's prominence in the new wave of e-commerce has surged, becoming the fastest-growing online marketplace in the United States.

However, with the expansion of its user base and services, the infrastructure also ballooned. This led to an escalating number of secrets and configurations essential for interconnecting various components. As Whatnot’s infrastructure continued to grow, managing these credentials became a complex endeavor. This not only decelerated development but also posed potential security threats, especially for local development and CI/CD processes. And so they began their quest for a superior solution.

The Challenge

With the surge in Whatnot’s services and environments, managing an increasing volume of secrets and configurations became paramount.

The team was in search of management and orchestration capabilities as they grappled with:

• Manual Secrets Management: Keeping secrets synchronized across environments was both a security risk and an impediment to productivity.
• Inconsistent Local Development Environments: Developers struggled to fetch the most recent secrets, leading to operational hiccups.
• Secrets Sprawl: The absence of a unified system meant secrets scattered across various systems, increasing both security risks and obscurity.
• Lackluster Developer Experience: Difficulties in retrieving and managing secrets created friction in the development and deployment processes.
• Scalability and Maintenance Issues: The increasing number of services and secrets created scaling challenges, making updates error-prone.

The Solution

Enter Doppler. Adopted by the Whatnot engineering team, Doppler emerged as the panacea, serving as a centralized hub for secrets and configuration values.

Features like GitOps for secrets management, Role-Based Access Controls (RBAC), and versioning fortified control over the entire process. Local development saw a major boost with Doppler's CLI, sparing engineers from the intricacies of managing and syncing environment variables. From a security standpoint, the self-serve functionality, log forwarding, and audit features provided enhanced visibility and control.

Key solutions incorporated included:

• Unified Management: A single dashboard streamlined secret management, removing the need for toggling between AWS accounts.
• Streamlined Secrets Propagation: An intuitive UI meant developers could easily share secrets across environments, reducing errors.
• Enhanced Local Development: Doppler's CLI ensured real-time environment variable injection during local development.
• Seamless Integration: Using Doppler's integration with AWS Secrets Manager, automation of deployments and Infrastructure as Code (IaC) became flawless.
• Enterprise Governance: Advanced permissions with the use of custom roles and user groups enabled scalable access controls. Audit logs paired with log forwarding create actionable insights for security and compliance teams.

The Results

Doppler’s SecretOps platform delivered transformative benefits for Whatnot, both from a security standpoint and developer productivity:

1. Enhanced Security Posture:

"Doppler has now become our single source of truth for secrets, spanning across 14 systems, enhancing our visibility, versioning, and access controls."

• Doppler's centralized lifecycle now manages over 3,000 secrets, spread across 8 environments, ensuring a consistent and secure handling of sensitive data.

2. Remarkable Productivity and Efficiency Gains:

"Before Doppler, our engineers were spending roughly 5 hours every week managing secrets. Now, it's down to 5 hours or less per month”

• Engineers can independently manage secrets without the need for external team support, thus streamlining processes.
• "Previously, getting the correct values for local development secrets could take anywhere from 10 minutes to over an hour. With Doppler, it's just a minute's job, logging into the Doppler CLI."
• As a unified control plane across all secret managers, Doppler ensures that any changes to the secret managers don't affect the seamless developer experience.

3. Robust Automation:

"Doppler's third-party integrations have revolutionized our approach. Now, we can orchestrate secret updates across different secrets managers effortlessly, ensuring redundancy and high availability."

These integrations ensure that updates to Whatnot's secrets are instantly pushed to every secret manager in all environments. "Instead of an engineer manually copying a change, which used to take 10-15 minutes per secret, it's now real-time."

Conclusion

With Doppler, Whatnot realized substantial improvements in security, productivity, and automation. The robust features provided by Doppler streamlined processes, reduced vulnerabilities, and allowed developers to focus on more strategic tasks. As Whatnot looks to further refine its infrastructure and security, Doppler stands firm as an invaluable asset in their arsenal. Looking forward, Whatnot's vision aligns with leveraging Doppler for even tighter access control, further amplifying security and compliance standards.