What you need to know about Authentication – Make onboarding users painless

If you’re a small to medium business building out a digital platform or a startup you need authentication – a way to register new users and handle verifying existing users. 

Unless your product is “user authentication” this is not something we would recommend you build yourself. Resist the DIY urge, ignore the call of “Not Invented Here”, and actively shutdown the hubris of “the spec isn’t that complicated and there are plenty of reference implementations”.

The biggest argument for this is simple – user authentication is basic “product hygiene”. It’s one of the fundamental features every app and website needs to have and it is one of the features of your product your users will expect. And It has nothing to do with your Unique Value Proposition or whatever moat you are trying to build. So you shouldn’t be wasting time, money or innovation on user authentication. Spend your precious resources on building value and wire up someone else’s API to do the authentication for you.

There is a secondary argument if you are in industries with strict regulatory requirements, like fintech or health, or you want to sell to enterprise – compliance is hard. Hard means expensive and time consuming. It probably requires audits. Your potential clients would rather see a proven solution in place that lets them tick their own compliance boxes. Make it easy for them and yourself – use the API of the proven solution.

The Pros and Cons of Authentication As A Service

There’s really only one Pro of using an authentication provider – you don’t have to write the code yourself. That takes a lot of effort and responsibility off your plate once you make the decision, and it eliminates all kinds of ongoing management burdens. When your lean startup team is racing to revolutionise the property market you don’t want to lose anyone to diagnosing why password reset emails are being delayed by 2 hours and ending up in spam folders.

Instead you can let your authentication provider’s team of 40-50 developers worry about that for you. They’ve been doing it for years.

And over the years they’ve implemented things like social sign-on for Google, Apple, Facebook, Github, etc, and 2 Factor Authentication and password recovery and all the features you need to make it as easy as possible for your users to authenticate and use your product.

Now, there are several cons. Some see the biggest con as having to pay for the service. Maybe do some math around what you might be paying your developers to build an authentication system plus what you would be paying for the ongoing management of it (particularly the security side of things), add in how much it would cost you to get it wrong, and use those numbers to guide your decision. 

The next biggest con, or concern, is vendor lock-in. Providers do offer a path for migrating away from their service, but often the lock-in comes in the form of deep integration of the service into your code base. 

There are ways to mitigate this implementation-based lock-in and they are also basic good software practices. Your developers are going to be writing code that calls the provider’s API either directly or via an SDK (Software Development Kit). They can write a more generic interface to “authentication services” which allows you to swap out providers or eventually swap in your own. It’s a little more effort in the beginning, but not much more than a direct implementation for a specific provider, and it enables you to leave your options open.

Also, make sure you own any custom domains that are used as part of the authentication flow. Some users bookmark login pages, and some authentication standards use hostnames as part of their configuration (they need to know for sure where they are sending users and data). You don’t want to lose them if you change providers.

Why have authentication at all – the Magic Link

If your product is B2C and doesn’t need to secure sensitive information or payment details (because you’ve offloaded that to a service like Stripe) you may be wondering if you need authentication at all.

A current pattern that is comparatively minimalist in implementation (beyond having some solid email infrastructure or a trustworthy email provider who’ll keep you out of spam folders) is the Magic Link.

What is the Magic Link pattern?

The Magic Link pattern is where a product doesn’t ask you to register but asks for an email address and sends an email with an access link. 

This offloads authentication to email providers like Google and Microsoft (who are very good at that) and it also helps eliminate account sharing. Anthropic use this pattern to good effect. 

On the backend an account is still created in a database somewhere and the email address is the central identifier. On the browser or app side session tokens are stored and if the user has to do anything important – like pay you, change important settings – you send them another Magic Link.

Technically, it is simple to implement. Much simpler than login flows, social sign-ons, password recovery, 2FA, etc. Many users don’t like this system and the switching between applications it requires. It is not the best UX, especially on mobile. But for your product and your users it might be enough.

Who are the Authentication As A Service providers?

Here is a comparison table of the major AaaS options as of late 2024. Note that it includes KeyCloak, which is open source and self-hosted, and SuperTokens, which offers a self-hosted option. This is because we’re being thorough and they are technically not “DIY”, but both come with the burden of management. But if you need the control, you need the control. 

Try not to need the control if you haven’t launched yet.

Service Name Overview Pricing Model Key Features Integration Complexity Scalability Compliance & Certifications Customization & Control Social Logins Supported
Auth0 Comprehensive authentication platform suitable for businesses of all sizes. Free tier available; paid plans based on Monthly Active Users (MAUs) and features. Supports SSO, MFA, social logins; extensive compliance standards. Moderate; well-documented but may require setup time. High; designed for large-scale applications. GDPR, HIPAA, SOC 2, ISO 27001, and more. High; customizable authentication flows and branding. Yes (Google, Facebook, Twitter, Microsoft, LinkedIn, GitHub, Apple, and more)
Firebase Auth Authentication service by Google as part of the Firebase platform. Generous free tier; pay-as-you-go pricing for additional usage. Email/password, phone auth, social logins; tight integration with Firebase services. Easy; straightforward, especially within Firebase ecosystem. High; backed by Google’s infrastructure. Complies with Google’s security standards. Limited; less flexibility in customizing flows. Yes (Google, Facebook, Twitter, GitHub, Apple, Microsoft, Yahoo, Play Games, and more)
Clerk Modern authentication with a focus on developer experience and user interface. Free for up to 10,000 MAUs; paid plans for higher usage and features. Magic links, social logins, MFA; pre-built UI components. Easy; developer-friendly SDKs for popular frameworks. Scales with your user base; costs increase with usage. SOC 2 Type 2, CCPA compliant. High; customizable components and APIs. Yes (20+ providers including Google, Facebook, Twitter, GitHub, Apple, Microsoft, LinkedIn, Slack, Discord, and more)
Supabase Auth Open-source alternative to Firebase, integrating seamlessly with PostgreSQL databases. Free tier; affordable paid plans for additional resources. Email/password, magic links, social logins; works with Supabase services. Easy; especially if using the Supabase stack. Moderate to high; depends on your infrastructure. Self-managed compliance; open-source transparency. Moderate; customization possible with development effort. Yes (Google, Facebook, Twitter, GitHub, GitLab, Bitbucket, Apple, Azure, LinkedIn, Twitch, Discord, Slack, Spotify, Notion, and more)
FusionAuth Customer identity platform offering a free community edition and paid enterprise options. Free community edition; paid plans for enterprise features and support. OAuth2, OIDC, SAML support; self-hosting for full control. Moderate; requires setup but provides good documentation. High; built to handle millions of users. GDPR, CCPA, HIPAA (with enterprise edition). High; extensive customization when self-hosted. Yes (Google, Facebook, Twitter, LinkedIn, GitHub, Apple, Amazon, Steam, and others)
AWS Cognito Amazon’s solution for user sign-up, sign-in, and access control. Free tier; pay-as-you-go based on MAUs and features used. Email/password, social logins, MFA; integrates with AWS services. Complex; may require AWS expertise. High; scalable on AWS infrastructure. HIPAA eligible; aligns with AWS compliance programs. Moderate; customization possible but complex. Yes (Google, Facebook, Amazon, Apple, and any OpenID Connect or SAML 2.0 identity provider)
SuperTokens Open-source authentication focusing on security and user experience. Core features are free; paid for managed services and enterprise features. Email/password, social logins, passwordless; self-hosting option. Moderate; developer-friendly but requires setup. High; scalable when self-hosted. Self-managed compliance responsibilities. High; full control with open-source code. Yes (Google, Facebook, Apple, GitHub; extendable with custom providers)
Keycloak Open-source identity and access management solution for enterprise applications. Free; fully open-source and self-hosted. SSO, social login, identity brokering; extensive features. Complex; requires technical expertise to deploy and maintain. High; depends on your hosting infrastructure. Self-managed; compliance depends on your setup. Very high; highly customizable but complex. Yes (Supports any OpenID Connect or SAML 2.0 providers, including Google, Facebook, Twitter, GitHub, LinkedIn, Microsoft, and more)

Go build value, not login flows

If you reached this point we hope you understand the big picture when it comes to user authentication and how to get it done. It’s a complicated topic and only you know what your requirements are. Between our basic advice and that table of AaaS service providers up there we hope we gave you a good start on narrowing down your decision on who to go with.

 

If you need more details or want to talk more about building out a digital platform on modern standards we love talking about this stuff. Get in touch.

 

37 questions you should ask your developers about app security

In an earlier article we talked about threat intelligence and securing your code against hackers from the start. That article focused on applying a subset of OWASP guidelines to web applications and backends. In this article we are going to do something similar for mobile apps.

We’re going to give you an overview of OWASP’s mobile application security guidelines using example apps and giving you questions you can ask your developers to work out how secure your app is.

Security is paramount for mobile apps. Unlike your backend servers, you can assume your mobile app is in the hands of bad actors. And if it is not, it might be sharing a phone with malware that would love to extract any useful personal or financial information your app might collect.

Let’s start with the example apps. They were “designed” to have different requirements, but they all share best practices for security.

Our Three Imaginary Mobile Apps:

(Any resemblance to existing apps or apps with the same name is purely coincidental. Naming is hard.)

Introducing the OWASP MASVS (Mobile Application Security Verification Standard)

The OWASP MASVS is divided into 8 groups:

  1. MASVS-STORAGE: Secure storage of sensitive data on a device (data-at-rest).
  2. MASVS-CRYPTO: Cryptographic functionality used to protect sensitive data.
  3. MASVS-AUTH: Authentication and authorization mechanisms used by the mobile app.
  4. MASVS-NETWORK: Secure network communication between the mobile app and remote endpoints (data-in-transit).
  5. MASVS-PLATFORM: Secure interaction with the underlying mobile platform and other installed apps.
  6. MASVS-CODE: Security best practices for data processing and keeping the app up-to-date.
  7. MASVS-RESILIENCE: Resilience to reverse engineering and tampering attempts.
  8. MASVS-PRIVACY: Privacy controls to protect user privacy.

Let’s go through them quickly, covering what you should be concerned about and what to ask your developers to confirm it is being addressed.

MASVS-STORAGE: Secure Data Storage

The most secure data is the data you never store. The second most secure data is data that you don’t store on a device you don’t control. Always ask if it’s necessary to store the data, and if you have to store it, what is the most secure option. 

Everyone wants to store credit card data because it makes purchase UX so much smoother. But no-one wants to become a target for hackers who love extracting thousands of active, verified credit cards. 

The same goes for personal information.

How the apps might approach compliance:

Questions to Guide Decision Making:

  1. What types of user data will our app store on the device?
  2. Is any sensitive personal or financial information being stored locally?
  3. How are we protecting stored data against unauthorized access?
  4. Can we minimise local storage by keeping data on secure servers?
  5. Are there scenarios where storing data locally is unavoidable? If so, what system APIs or third party libraries are we using to provide secure storage?

MASVS-CRYPTO: Secure Use of Cryptography

You need to use up-to-date, strong encryption methods to protect data both when stored and during transmission, and manage encryption keys securely. This is not a situation where you can build your own solution. 

How the apps might approach compliance:

Questions to guide decision making:

  1. Are we using industry-standard encryption methods to protect data?
  2. How are we securely managing and storing encryption keys?
  3. Is all sensitive data encrypted during network transmission?
  4. Do we need to encrypt data stored locally on user devices?

MASVS-AUTH: Secure Authentication and Authorization

Implementing secure methods for user login and verifying that users have permission to perform certain actions within the app is critical. On both iOS and Android, secure authentication can be implemented using standard protocols like OAuth 2.0 and leveraging platform features for handling credentials securely. Both platforms support biometric authentication (like Touch ID and Face ID on iOS, and Fingerprint or Facial Recognition on Android) through secure APIs.

How the apps might approach compliance:

Questions to guide decision making:

  1. How will users authenticate within the app?
  2. Do we need additional authentication steps for sensitive actions?
  3. Are we using secure protocols for handling authentication data?
  4. Do different user roles require different levels of access?
  5. Should we implement multi-factor authentication for added security?

MASVS-NETWORK: Secure Network Communication

This should now be a given. Though you can make an argument that if your app relies on a large volume of static media, architecting your backend to deliver media via dedicated servers (or cloud services like Amazon S3) using a simpler unsecured protocol like HTTP can provide a small reduction in management overhead.

But, it is better to just have all track use secure network protocols like HTTPS/TLS. Both iOS and Android support SSL/TLS pinning if necessary and provide networking libraries that handle security appropriately.

How the apps might approach compliance:

Questions to guide decision making:

  1. Are all network communications encrypted using HTTPS/TLS?
  2. Have we ensured that there are no insecure connections within the app?
  3. Do we need to verify the identity of servers we communicate with beyond standard measures?
  4. Are there any additional steps we should take to secure data transmission?

MASVS-PLATFORM: Secure Interaction with the Mobile Platform

Your app needs to safely interact with the device’s operating system and other apps, ensuring features like notifications and data sharing don’t expose sensitive information. On both iOS and Android, there are guidelines and APIs for secure inter-process communication (IPC), handling intents (Android), or URL schemes (iOS), and configuring notifications to protect sensitive data.

How the apps might approach compliance:

Questions to guide decision making:

  1. Does our app expose any functionality or data to other apps?
  2. Are we securely handling features like notifications and data sharing?
  3. Could sensitive information be unintentionally exposed through the user interface?
  4. Do we need to limit access to certain device features or permissions?
  5. Are there platform-specific security considerations we need to address?

MASVS-CODE: Code Quality and Security

It’s important to ensure that your app’s code is free from common vulnerabilities, follows secure coding practices, and stays updated with security patches. On both iOS and Android, this involves using secure coding standards, conducting regular code reviews, and keeping third-party libraries up to date. We covered some of the tools for this in the article on verifying the third party code your app will use.

How the apps might approach compliance:

Questions to guide decision making:

  1. Are we following secure coding best practices throughout development?
  2. Have we validated and sanitised all user inputs and external data?
  3. Are all software libraries and components up to date and free from known vulnerabilities?
  4. Do we have a process in place to quickly update the app and patch security issues?
  5. Are we enforcing a minimum platform version to ensure necessary security features are available?

MASVS-RESILIENCE: Protecting Against Reverse Engineering and Tampering

This is a challenging part of the security stack. It is in reality impossible to stop this from happening. This means you need to ask yourself – what would a hacker gain by having access to the source code of your app?

Every other group in the OWASP MASVS has a role in protecting your business from this situation. This is why data storage choices are important, and why authentication is essential.

There are companies out there offering solutions which obfuscate code, and platforms like iOS try to block access to your app’s code, but there are also companies offering tools to counter these protections. 

How the apps might approach compliance:

Questions to guide decision making:

  1. Do we need to protect proprietary code or sensitive algorithms within the app?
  2. Are there risks if the app is reverse-engineered or tampered with?
  3. Should we implement code obfuscation or other anti-tampering measures?
  4. Are we considering the security of the app on compromised devices?

MASVS-PRIVACY: Ensuring User Privacy

Your app needs to collect and use user data responsibly. You should strive to minimise data collection, and provide transparency and control to users over their personal information. Both iOS and Android have guidelines and requirements for privacy, such as the App Privacy Details in the App Store and the Google Play Data safety section. Compliance involves adhering to these guidelines and any applicable data protection regulations like GDPR.

How the apps might approach compliance:

Questions to guide decision making:

  1. What user data are we collecting, and is each data point necessary for app functionality?
  2. Are we transparent with users about our data collection and usage practices?
  3. Do we provide users with control over their data, such as options to delete or modify it?
  4. Are we compliant with relevant privacy laws and regulations in our operating regions?
  5. How are we ensuring that user data isn’t shared with third parties without explicit consent?

Mobile app security is a headache

Building a secure mobile app is one of those “the devil is in the details” pursuits. But it needs to be done.

For experienced app developers most of the OWASP MASVS is simply how it’s done. But there are strategic decisions to be made, particularly around data – its collection, its storage and its transmission.

Hopefully this guide has given you an actionable top level understanding of mobile app security and provided you with the questions you need to be asking to make sure your app is locked down on launch day.

There are always more details and more questions. If you have any questions feel free to get in touch. We’d be happy to answer them.

Beat hackers and protect your business before running a single line of code

Hackers are getting out of hand. We’re sure you’ve noticed. Ignoring self-owns like the recent CrowdStrike debacle making the news, we seem to hear about new zero-day, zero-click exploits on a daily basis. Software infrastructure is complex and this complexity makes it vulnerable to bad actors. 

Bad actors that are willing to put in months of effort to convince developers to give them access to code so they can install backdoors that will let them take over every Linux server.

What can you do when your business is built on a technology platform constructed from thousands of open source and third party libraries containing millions of lines of code that your team didn’t write?

And what can you do when every new service you launch, like the API gateway your app and website will talk to, is discovered and scanned for vulnerabilities within an hour of going live? And not just once, but continuously by automated tools run by multiple anonymous parties? 

Keeping your platform secure sounds daunting when spelled out like that. 

But there is a way forward, and it involves integrating threat intelligence into your development process from the very beginning. Before your developers write the first line of code, and before they start installing the libraries your technology platform is going to be built on.

Threat intelligence is applying knowledge of the tools and techniques bad actors use to breach security. It  can be used at every point in the architecture and lifecycle of your platform. This makes it a huge topic and one that keeps shifting as new techniques and counter-measures are put into play. 

It’s too huge a topic for a single article, so we’re just going to look at the first step – building your platform – and only one facet of that: vetting open source and third party code. 

We’re going to give you an overview of the easiest to use tools available for incorporating this essential process. 

But first we’re going to talk about the OWASP Top Ten and where this vetting of code sits on the list. 

The OWASP Top Ten and secure coding practices

The OWASP Top Ten is a list of the 10 most critical security risks to web applications. It’s compiled by OWASP (the Open Worldwide Application Security Project – a nonprofit foundation) in consultation with its membership of cybersecurity professionals. 

The OWASP Top Ten list is due to be updated in early 2025, but here are the risks from the current 2021 version of the list:

We’re discussing “web applications” throughout this article because current practices are to build a web-based backend that both apps and websites frontends talk to on behalf of users. OWASP also has security recommendations for mobile apps you can read here, but we’re not going to talk about that in this article.

As we said earlier, this article is going to focus on just one item from the OWASP Top Ten – “Vulnerable and Outdated Components”. And we are going to focus on this security risk because there are services that can help you manage it. They’re not “set and forget”, but they don’t require in-depth training or expertise in order to adopt them and get immediate benefit from them.

They augment the role of the “Software Security Engineer” and automate the process of researching vulnerabilities that used to be done by googling or searching through the NIST National Vulnerability Database (NVD).

Some services, like Snyk, have their own security researchers to discover vulnerabilities and develop mitigations for them (like patches or updates for the troublesome library) and also contribute those vulnerabilities back to the NVD.

Snyk

Snyk call themselves “The developer security company” and they offer a suite of tools and services for mitigating supply chain attacks. 

These tools include Snyk Open Source. This performs source code analysis to find vulnerable dependencies. It integrates with your developers’ IDE, can scan pull requests, and can be integrated into your CI/CD pipeline to check no new vulnerabilities make it into production. 

They also provide continuous monitoring so if new vulnerabilities are discovered you can move quickly to address them. 

Snyk can be used for free by individual developers and small teams, with some limitations on testing and with no Jira integration. 

GitHub  

If you’re already using GitHub for hosting your code or planning to, it makes sense to take advantage of its built-in security features. GitHub’s Dependabot automatically scans your dependencies for vulnerabilities and raises pull requests to update them, similar to Snyk’s open-source scanning, but without the need for additional setup.

GitHub Advanced Security goes further with features like secret scanning and code scanning, catching issues early, even before code is pushed. While Snyk also offers these kinds of tools, GitHub’s advantage is that everything is built right into the platform you’re already using for version control. 

GitLab 

GitLab, GitHub’s open-source competitor, also offers a suite of security features designed to fit smoothly into your development pipeline. If you’re already using GitLab for CI/CD or planning to, its built-in security tools can save you time and effort by automatically integrating into your workflows.

Like Snyk, GitLab includes dependency scanning, checking your code for vulnerabilities in open-source libraries and suggesting fixes with merge requests. GitLab also offers security features like container scanning, static application security testing (SAST), and dynamic application security testing (DAST), all built into the platform. This gives it an edge for teams already leveraging GitLab’s DevOps capabilities, as you get a unified toolset for both development and security without needing to add third-party integrations.

There are 65 different service providers for this kind of service (Software Composition Analysis) on G2. Way too many to go through without wasting your time, but between Snyk, Github, and GitLab you have three options your developers can try integrating into your development process today. 

Trust but verify the libraries you rely on

We’re all building on the shoulders of giants out here. Not-invented-here syndrome needs to give way to the demands of time-to-market, which means open source libraries, which includes entire ecosystems like React, Node, and Laravel as well as server operating systems (Linux), web servers, and the proliferation of databases.

You are going to use third party code so make the decision now to mitigate the risks of bad actors, bad design decisions, and changing technology that necessity will expose you to.

Get your developers on board with one of the options we’ve talked about, or go spend a couple weeks talking to each of the vendors on G2’s list, Just make sure you have a solution in place before you start running code.

Property Management Systems – Pick your niche and grow

Property Management Systems – Pick your niche and grow 

There are thousands of Property management systems (PMS) aka real estate management systems/software/solutions. And the reason there are so many is simply because the property market is incredibly rich and diverse. 

There are different geographic areas, different types of property, different types of tenants, different types of property owners, different types of property managers and property management businesses. 

It is an industry of niches. And there are providers out there struggling to supply a one-size-fits-all solution to property management, but you can’t do everything well and you can’t do everything simply and you can’t do everything while supplying an enticing (and true) value proposition to everyone.

This means there are always numerous under-served, unsatisfied market segments looking for a property management system that gets them. That fits their needs.

You’re probably part of one of those segments, part of a niche that available solutions fall short or completely miss to create some value for or at the very least offer some efficiencies to ease the workload.

That deep knowledge of a property management niche is a huge advantage and is the foundation for building a successful PMS that might begin with a theoretically small market, but in practice has no upper bound on growth. 

Let’s start with some background on PMSs.

What Are Property Management Systems?

Property Management Systems are software solutions that automate the various tasks associated with the management of real estate properties.

Depending on their focus (or lack of focus), they can cover areas like property listings, tenant management, rent collection, financial tracking, maintenance scheduling, reporting, and more.

The obvious benefits of Property Management Systems:

The primary purpose of PMSs is to make executing on the often complex processes of property management easier, thus lowering barriers to success and also lowering the level of expertise needed, which provides a secondary benefit of making the filling of property management roles easier. 

Ease of use goes hand-in-hand with efficiency. A good PMS makes the difficult simple and the tiresome painless. A good PMS doesn’t just do this for the back office processes. A good PMS makes all interactions easier and provides a better experience for everyone that has to interact with the PMS, including property owners, tenants, service providers (plumbers, locksmiths, etc), while enhancing the overall experience for property owners and tenants. 

On top of process improvement, a PMS gives stakeholders access to detailed analytics covering every aspect of the processes and transactions it implements. These are the essential numbers for running a property management business and another key reason for adopting a PMS. 

For the PMS platform owner, which could be you, access to anonymised and/or aggregated data provides opportunities for targeting development towards the features analytics reveal your users rely on the most in order to increase market appeal, but it can also provide market insights that are unavailable elsewhere and present a true advantage. 

How Property Management Systems are aggregating new technologies

The first PMS was a ledger – a physical book with pages of properties and related transactions filled out by hand. There were probably some ledger hold-outs up into the 90s, everyone else having moved to PC-based options in the 80s.

The real driver for uptake (and building) of PMSs was the development of payment service integrations, allowing even the smallest player to use a PMS to set up direct debits for tenants. This in turn has driven the development of countless PMSs because venture capital loves nothing better than business models that place themselves in the middle of a high number of financial transactions that they can take a 3%-5% fee from.

Today PMSs are SaaS – Software as a Service – running in the cloud, with a website designed to be mobile-first, with market leaders also offering native IOS and Android apps.

But a PMS can also extend beyond the browser, the desktop and the phone, depending on the niche. The proliferation of cheap microcontrollers with sensors plus connectivity via WiFi or 4/5G has created a revolution. It’s the Internet of Things (IoT) and it makes detailed property monitoring for maintenance and security cheap and accessible. For PMSs with feature sets that lean towards maintaining properties, integration with IoT networks, providing automated monitoring as well as analytics to generate predictive maintenance schedules and live feeds of property condition is a must-have.   

And we can’t talk about technology without mentioning AI and its use in PMSs. This can be generative AI (think ChatGPT) for helping with the production of property listings and other written communication, and customer service in the form of chatbots. It can also be Predictive AI that ingests the data collected by your PMS and generates maintenance schedules, flags tenant issues early, etc. You can read more about Generative and Predictive AI in this article.  

Picking the niche for your Property Management System

Ideally you should already have the niche for your PMS picked out. The best niche is the one that you have experience in and understand the challenges and pain points that participants (like yourself) need to be addressed firsthand.

If you’re not sure about a niche, below is a list to get you thinking. We’ll leave it up to you to decide if you want to target a market of mice, rabbits, deer or elephants (there are no flies in real estate). 

What features your PMS will need depends on your niche. What features the MVP version of your PMS will launch with depends on how well you understand your chosen market.

Build your own Property Management System or tailor an existing one?

PMSs have been around long enough that there are not only software development houses with deep expertise in building them, but there are also software houses that offer white label solutions – prebuilt software you can check off the features you want and slap your branding on and launch. 

This makes one of your first and biggest decisions on launching a PMS a choice between build or buy. 

Build gives you control. That control gives you a straightforward path towards growth.

Buy gives you speed, but very little control. There are a multitude of options for how you purchase and run a white label PMS. They all have trade-offs and we don’t have the space to go through them. If you take this path, do your homework to ensure you have clear lines for growth, preferably via access to the PMS’s source code (which you hope is high quality) and accessible expertise to keep it running and build upon it.

Build vs buy is a chicken and egg gamble. 

Does buying and launching quickly let you confirm the market is there or will the market be uninterested in your copycat PMS?     

Does building let you launch with a product tailored to your market months later or do you burn cash and time to release a new PMS the market is uninterested in? (Hint: you can reduce the chances of the second option by checking out the LEAN canvas methodology and how to find product-market fit.)

But business is always a gamble, but it’s one of the few gambles where working hard and working smart can vastly improve your odds.

Property Management Systems are software and software is malleable

That sounds deep. But what it means is that once your PMS is successfully servicing its niche you are now the proud owner of a machine that makes money and that machine takes very little (comparative) effort to retarget or to expand.

The hard part is finding and landing that first niche. Once you grind out success in a niche you have in place 80+% of what you need to take over the next niche. Or to grow up out of your niche into the broader market – from regional unit rentals to regional residential rentals to nationwide residential rentals. Why not go global from there?  

Pick your Property Management System developer and grow

This is the pitch. SoftwareSeni gets proptech. We build proptech. We’ve been building software based businesses in the real estate market for nearly 15 years. We build businesses from the ground up and for many of them we also manage the backend, keeping them running and secure and profitable.  

We’ve been helping businesses start and grow for long enough that we don’t just have the technical knowledge you need, we’ve got the business experience to help you gain the maximum leverage from our technical knowledge.

If you have a niche you want to build a PMS for, or just want to talk proptech, get in touch with us. 

How to spot opportunities in your business to use AI

Before we go over the 5 main interfaces where AI might help your business, let’s talk about the two kinds of AI.

The two kinds of AI – Generative and Predictive

Generative AI is the AI like ChatGPT, Claude and Gemini that everyone has been excited about for the last year/18 months. They are Large Language Models (LLMs). They’ve been trained on a vast amount of text (web pages, books, video and podcast transcripts, etc) and they work by being fed text in, like a question, and they output text in response. They are specialised for working with text and so human languages. They are bad at working with numerical data.

Predictive AI is what we used to think of as AI – neural networks, crunching lots of numbers, and making predictions like which customer is going to miss a credit card payment. 

Both Generative AI and Predictive AI are built using the same principles and same key software components, but they have different purposes.

For this article we are going to only look at Generative AI.

Now back to business and where to implement Generative AI, which we’re going to call Gen AI for the rest of the article to save on typing.

Where your customers reach out to your people

Where your customers reach out to your people

This is already one of the most popular points to use Gen AI. This is where chatbots live. The reason to implement Gen AI is because you want to either reduce resources or increase opportunities to provide information to current and potential customers.

It’s also where you can use Gen AI to implement smart filtering or triage of customers looking to buy or looking for support.

And it’s where you can use Gen AI to streamline information gathering on customers through conversational style interfaces that can better handle the trickiness of talking to people while providing a better experience than a lengthy form.

Where your people reach out to your customers

Where your people reach out to your customers

This interface is predominantly sales and marketing related:

Imagine never again sending an auto-response email that says “Do not respond to this email”, but instead turning email into new “chat interface” for your customers to interact with your business.

Where your customers interface with your business systems

Where your customers interface with your business systems

We hinted at this above in the “email as chatbot interface” line above. But this interface covers opportunities for using Gen AI for:

Inhouse – Between your people

Inhouse - Between your people

This interface is full of opportunities and possibilities for growth, flexibility and efficiency. Doing a deep-dive on how your business functions and where expertise sits in your processes will uncover lots of places where you can:

Inhouse – Between your people and your systems

Inhouse - Between your people and your systems

Here is where your people are working with existing inhouse and third party systems. Gen AI can be used to boost quality of execution and, depending on the process, also reduce the time spent. 

The kind of processes that Gen AI can be applied to at this interface include:

The 3 major Gen AI approaches

Across the 5 major interfaces we covered, all the options to apply Gen AI are covered by only 3 approaches:

  1. Automate/Augment an interaction
  2. Automate/Augment the process of an interaction 
  3. Automate the artefacts an interaction produces (meeting notes, contracts, sales orders, product configurations, etc.)

When you’re looking at implementing Gen AI to support or automate an interaction or process, these are the three opportunities you should be looking for at each step.

Getting started implementing Gen AI

Implementing Gen AI in your business can start small. Process support is a great place. After chatbots, the key tool in Gen AI is called RAG – Retrieval Augmented Generation. This is often marketed as “Chat with your documents”. 

You can use RAG to give access to knowledge that might be in your SOPs (presuming these are in Word docs, Google Drive or similar) or in your product manuals or in years of client emails.

NotebookLM is Google’s version of this if you want to try it with a test case. Both OpenAI and Anthropic let you upload documents in their chat interfaces and ask questions about them.

A step beyond “Chat with your documents” is creating workflows that incorporate Gen AI. Dify.ai is a good place to start with this. It has a simple visual interface and it lets you easily build RAG-based chatbots that you can embed in your website if you want to try that approach. It has lots of other features and applications worth investigating.

For more advanced workflows there is n8n, and the incumbent workflow automation services – Make and Zapier – also offer Gen AI features.  

Conclusion

We hope this short guide has given you the necessary guidance on how to look at your business and how to look at your processes to find where you can take advantage of Generative AI. 

Doing is understanding. So start small – add Gen AI to a single step in a single process – and grow out from there. We find the more you use Gen AI, the more you find ways to use Gen AI.

Why we all should want Junior Devs working smarter more than Senior Devs working faster

AI is having a huge impact on software development. Even a year ago McKinsey did empirical research that showed AI coding tools were giving a 30-50% speed up for developers. Now, with Github Copilot being joined by tools like Cursor, aider and Zed, which push developer support from fancy auto-complete to hands-free multi-file edits, it feels like software development is about to undergo another leap in speed of execution.

As Charity Major discusses in an article on StackOverflow, this increase in developer efficiency is leading industry executives and thought leaders to believe that “generative AI is on the verge of replacing all the work done by junior engineers”. 

She has about 5000 very smart words on why that’s wrong. We’re going to cover the same ground in a few hundred words and tell you what we’re doing about the situation.

The coding is the easy part

Businesses run on software. Most businesses are software. Writing that software is not the hard part about being a business made of software. The problem is complexity.

Yes, software is complex. But the real complexity is in the system that the software needs to exist in. This system isn’t limited to the boundaries of your organisation. It includes the infrastructure your software runs on, the other software it interacts with, and the pieces, the libraries, of software it is built from. The recent Crowdstrike related outage is an example of the complexity of the current system all software operates within.

Managing that complexity, and managing complexity in general, is the real skill and the real value that software developers deliver. And it takes time to learn it. Programming can be taught in a school or learned from a book. But mastering the details of the huge number of systems that are at play in the modern tech stack, where idiosyncrasies abound (because reality is imperfect and unpredictable), and unknown unknowns are numerous, takes years and requires mentorship. 

As Charity Major says, this means we have to recognise that software development is an apprenticeship. Junior developers don’t become senior developers on their own. There is too much craft, too much knowledge learned through experience, too many mistakes to make, for a junior developer to master it all in a reasonable amount of time without guidance.

AI should empower junior developers, not replace them

The argument for not hiring junior developers is centred on the idea that why add to your headcount with a junior developer when you can just give a senior developer some AI coding tools.

As we wrote in our article on harnessing AI to save your business from the future:

“if your revenue per employee keeps going up as they complete work faster and do more using AI, why would you fire anyone?”

This situation is more of a “if your employees do more using AI why would you not let them do more?” situation.

If AI can help your senior developers do more senior developing – architecture, strategy, planning – why would you make your senior developers use AI to do junior developer work?

Junior developer work does involve writing code, under the direction of and with reviews by senior developers. But junior developers are also the go-to for writing test cases and refactoring code. This helps them build familiarity with your codebase and engages them with reading and understanding code written by experienced developers.

And if it is an AI coding tool that is writing the tests and refactoring the code, it should still be a junior developer driving it. The benefits are the same for the developer but the cost to you, which is accompanied by an opportunity cost, is lower. Having a senior developer generating tests instead of working on your overall system design, architecture or key features is not just throwing away money, it’s throwing away time.

Without junior developers there will be no senior developers

Every senior developer started as a junior developer. They spent the 5-7 years learning the craft of software development under more experienced programmers. 

No-one has suggested that the world needs fewer senior developers. They are what every business wants to hire. 

But the execs and “thought leaders” who think junior developers are moments away from being automated out of existence haven’t explained where new senior developers are going to spring from.

They are not going to be created by AI coding tools.

This image is currently making the rounds in the tech-sphere:

If you know, you know. If you don’t know, consider it a taste of the complexities of software. We like to think that Blue Bubble next took the time to explain to Grey Bubble what they were misunderstanding and gave them some paths towards being able to share their creation. A little bit of mentoring, if you will.

We’ll keep growing junior developers into senior developers

In an earlier article we wrote about Core+ teams. A Core+ team is your core in-house team at the heart of an on-demand team that changes in size and structure to meet the latest challenge. 

It’s the future for lean, flexible business. And it relies on companies like SoftwareSeni cultivating and supporting a large pool of talented software developers. We’re a company of software developers focused on developing software. It’s no surprise developers like working here.

We build our pool by hiring experienced developers who want to work with us and by hiring graduates straight out of university. We invest substantial training in all of our developers because their skill and their well being is the foundation for our success.

It’s what we’ve been doing for over a decade now. We’re practised at growing junior developers into senior developers. And we’re experts at helping businesses build the optimal mix of skills in their Core+ team to suit their product, their budget, and their velocity.

And a team of all senior developers doesn’t make operational or budgetary sense. No matter how many AI-powered tools you give them.

There will always be a place for junior developers

You don’t have to be a genius to see that the idea that the days of junior developers are numbered doesn’t make sense. Not in a world that continues to grow more complicated and the skills to deal with it are quicker to teach than to discover.

And there will always be a place for junior developers at SoftwareSeni. They’re an essential part of our team and our future. They’re also an essential part of our clients’ teams and what they are able to achieve given the tough constraints everyone is working under at the moment.

Creating opportunities with AI to transform service industries

Creating opportunities with AI to transform service industries

There is a large chunk of the economy composed of businesses that will benefit from the introduction of AI into their operations. These businesses are all low margin service businesses.

They could really use AI, but convincing them to use your AI solution will be a challenge.

Let’s look at the problem and a novel solution.

Here is why service businesses need AI

What they have in common is they have a lot of repetitive, non-strategic but necessary work. This includes things like data entry, triaging customers enquiries or responses by leads, reviewing submissions, double-checking applications, comparing Form A to Form B, etc. 

The roles in this type of work involve high volume, low- to medium-difficulty decision making with strict performance requirements. It is dull work and often stressful due to the sheer volume of it. And so these roles experience a high turnover rate. 

These businesses are also operating under labour market shortages. The high turnover rate is amplified by difficulty in recruiting for these roles. This is due to the unattractiveness of the role, but also there may be fewer people entering a field or industry. For example, many of these roles are finance related and accountancy graduates in Australia have halved over the last 10 years. 

Finally, these businesses also have margin pressure. Some of this is local and related to interest rate changes, and some is from global competition.

These three challenges –  margin pressure, labour shortages and staff turnover – means there are a lot of businesses out there who would benefit from AI based solutions that could give their margins some breathing room.

Don’t sell to them, become them

However, as Brian Murray from the VC firm Craft Ventures writes, these businesses are hard to sell to. 

They tend to have been around for a while, their operations are deeply ingrained in the culture of the individual business and in the culture of the industry. Convincing them to adopt your product is hard, especially in the early days when you don’t have a track record.

Murray suggests pursuing a different path. Become the target market. 

These businesses, despite the challenges, are essential and profitable. And being established businesses, many of them have owners who are ready to retire or move on. 

Instead of selling your solution, buy a potential client. Use your new business to test and hone your product. 

As the business owner you have the ability to make the fundamental operational changes needed to adopt new practices built upon your product. You will gain firsthand experience in implementing those changes, and if your product does everything you were promising, you now have a major advantage over the competition.

At this point you have three directions you can go. You can use the business as a base to grow in the market through M&As, or as proof-of-concept to license your technology to the rest of the market, or simply grow it through direct sales of your competitive services.

Each of these strategies has its own merits. M&As can provide rapid growth and market share expansion. Licensing can offer a scalable revenue stream with lower operational overhead. Direct sales allow for greater control over the customer experience and potentially higher margins.

You can also do some mix of all three options.

Go transform an industry

This is an era of transformation. With generally available AI that can offer decision support on the text and document-based forms, applications, invoices, reports and policies that have until now required a trained person to process, new opportunities are appearing. 

Spotting the opportunities and finding ways to take advantage of them requires a new way of looking at what is possible. 

Hopefully this article has given you some pointers on what to look for. And a new direction to consider when you decide how you’re going to build out your AI powered business.

SEO Strategy in The Age of AI

Generative AIs like OpenAI’s GPT-4, Anthropic Claude and Google Gemini have already changed how SEO is being carried out. If you follow the SEO industry you may already be aware of the dozens of tools and thousands of Youtube videos on using AI to generate content at massive scale to appeal to the Google algorithm to rank a site. For an industry that loves a quick and easy win, AI has been better than Christmas for them.

With the release of OpenAI’s new model, GPT-4o mini, which is powerful enough to generate readable content, its pricing at 60 cents per million output tokens has pushed us across a new threshold. And it is scary. 

Content is cheaper than dirt

You can now produce content dynamically for less than the advertising revenue you would receive for a single page visit. In this article, the author shows that generating an article with GPT-4o mini can cost as little as $0.00051525, 5 hundredths of a cent. Google’s Adsense calculator shows that for a site that gets 50,000 visits a month, a single page impression with advertising generates about $0.0026 in revenue per page visit. 

This is what they call an arbitrage opportunity. 

Whatever approach you take with SEO for your business, this is the competitive environment we will all be operating in.

Fighting back against infinite SEO content

The current standard practice in SEO is based mainly on winning through volume of content. That content has gone through “on page optimisation” to make sure that it is long enough and that not only does it have all the proper keywords, it has more than the competitors. The pages have been interlinked into “topic clusters” and linked also to “pillar pages” to make them more enticing for the Google Algorithm.

SEO practitioners used to do this by hand. Sometimes with “spinners” that would generate semi-sophisticated mad-lib style articles in bulk. But now it can all be automated. 

What is also being automated is the low quality of this content. Content produced to maximise ranking in Google Search results has always been low quality, whether it has been written by hand or generated by AI.

And this is where not just quality, but looking beyond the page, can give you an edge in SEO.

Search Result Ranking is not just about keywords

A leak of Google Search related documented earlier this year has given some potential insights into what factors Google uses to rank search results

One of the most important factors is user experience – how people are interacting with your site when they visit it. Clicks on a page, scrolling through your articles, and how much time they spend on your page, are all major signals. 

This is simply engagement and it is so simple it makes sense. High quality, interesting content that visitors engage with results in higher rankings in Google Search results. 

Freshness of content is also another factor. This can be a bit of an unfair bias against evergreen content. And forcing sites onto a treadmill of content refreshes of such content feels unfair, but has anyone ever felt the Google Algorithm was fair?

Links from other websites to your own content is also still worth pursuing and has value – depending on the site linking to you. 

Finally, Google is not just tracking visits from its own search results pages. It is also tracking visits that arrive from other places, like social media. This is another clue it uses to calculate a site’s ranking. 

Good SEO can no longer be just SEO

What does that mean? SEO – Search Engine Optimisation – can’t only be about optimising your content for search engines. Search engine. It’s really all Google, right?

The signals that Google is relying on are richer than just keyword counts on the page. And this is pushing SEO out into the broader spheres of marketing and branding.

And this is a good thing. Because it makes it possible to compete against AI generated content and sites full of keyword heavy content that no human would willingly read.

“Keywords” were never “magic words”

Choosing the right keywords is still part of SEO, but “keywords” doesn’t mean “magic words”. “Keywords” means clear titles that tell visitors what a page is about. And it means that the content on the page is going to cover the information they are looking for. Without repeating them dozens of times.

It means you need to communicate clearly, and to understand your audience well enough to know what they are looking for, how they are looking for it, and how they themselves talk about it. 

Clear communication and understanding your audience. See, SEO is just marketing once you start focusing on quality over quantity.

SEO extends into social media

If visits from social media are a signal to the Algorithm, then of course social media needs to be looked at through the SEO lens. 

And it is simply the same formula – clear communication and understanding your audience. Provide them what you know they value and they will interact with your posts, they will follow your links, they will visit your site and they will do business with you. 

Learn to think in formats beyond the article. Think short, think concise, think nuggets of wisdom novel insights, and clever “soundbites”. And consider how those same valuable communications, short as they are, can be incorporated into the content on your website and how an insight shared on social media can lead your audience to deeper engagement on your website. 

At this level, interacting with your audience, your potential customers, on social media and providing them value – be it knowledge, insight, amusement – you are no longer doing SEO, you’re building your brand. 

SEO in the age of AI is quality beating quantity

SEO has been a volume game for years. If you’ve ever used on page optimisation tools you’ve seen it in action. You want to compete for a keyword? Simple, analyse competitor pages that are ranking for those keywords and write a longer article than theirs with more keywords than theirs. You will pop up in the rankings. Until they do the same back to you.

The best thing about this kind of stupid cold war game is that the results are terrible. Adding AI to the mix is making it all happen faster, but the results are not any better. There is a reason that the term online for AI generated content is “slop”. It’s the new spam.

Spending time to understand your audience, providing value and crafting content that they engage with, isn’t simple, but with thought and patience it’s doable. 

It won’t be a quick win, but that’s what will allow you to compete against an industry that won’t stop believing in the easy win while they fill the internet with words no human will ever read.

A VC’s Product-Market Fit Framework

Product-Market Fit is one of those business goals that is easy to understand but that doesn’t come with any clear guidance on how to reach it. Everyone has a playbook for achieving Product-Market Fit and a lot of it is survivorship bias with a pinch of commonsense.

In this article we’re going to give you a quick rundown of a VCs take on Product-Market Fit. The VC is First Round Capital and they’re basing their approach to Product-Market Fit on the experiences of the 500 startups they’ve funded, including several unicorns. 

The structure and advice is aimed primarily at sales-led B2B startups. You’ll see that they talk about length of sales cycles and integration times. These aren’t concerns B2C startups need to worry about. Even if your business isn’t B2B there are still some useful insights to gain from their model.

The FRC Product-Market Fit Model

First Round Capital, FRC for short, calls their PMF “extreme Product-Market Fit”. That’s some tasty positioning.

FRC splits their PMF model into 4 levels composed of 3 “dimensions” of fit with 4 “levers” you can tweak to fix your fit.

The levels:

  1. Nascent: Early days. You have a handful of customers and you’re still getting a handle on your product.
  2. Developing: You’ve sold to more customers, and they’re paying you, even renewing 
  3. Strong: Customers are finding you instead of you finding them, scaling is your new concern
  4. Extreme: You’re growing, you’re a household name and you can deliver your product repeatably and efficiently to each customer.  

The dimensions:

Satisfaction – How much do your customers like your product? How badly do they need it?

Demand – How long does it take to close a sale? How many of your sales are outbound vs inbound?

Efficiency – This is all those numbers that startups should obsess over: 

The levers:

The Persona – This is just Ideal Customer Profile with the numbers filed off. You can tweak this by making it broader or narrower – HR Managers vs HR Managers in Fortune 10,000 Financial services?- or changing it all together.

The Problem – Ideally a pain point that your Persona will do anything to be rid of. You want to look for urgency and huge upside for the client from your solution. If you’ve picked the wrong problem you may need to pivot

The Promise – Your Unique Value Proposition. It’s not your product, it’s how you communicate the benefit your product will deliver. Be prepared to fiddle with this as you learn more about your customers and as your product matures.

The Product – What you’re building. Will it deliver on your promise and are people willing to pay for it?

A deeper look at the levels in FRC’s PMF

FRC have used their experience across their stable of startups to establish clear criteria on what level a startup is at. This is a very VC-focused model, but if you ignore mention of funding rounds and look at the other criteria you’ll be able to see where you fit in.

For each level they provide their take on which of the 3 Dimensions of Satisfaction, Demand and Efficiency you need to be spending your time on, and they are sensible. Though how you shift those dimensions using the 4 Levers or Person, Problem, Promise and Product they leave out. 

They like to cover that in person, and, really, the 4 levers are the heart of your business model and aren’t amenable to advice given in a document as broadly applicable as a framework is. There is no generic advice that will help you fix your Product or anybody’s Product. That’s why startups are hard.

Let’s look at their levels.

Level 1 – Nascent

At Level 1 you’re a nobody making promises. You’re relying on your personal network to find customers and your conversion rate is terrible. 

Here’s the basic criteria according to FRC Level 1:

To make it to the next level they suggest you focus on Satisfaction. Getting to 5 customers who really need your product because it solves a problem puts you on the path to doing the same for 50.

Level 2 – Developing

At this stage you should start to feel like you’re on the path to PMF. You’re landing customers from outside your network. Organic growth is kicking in.

Here’s FRC’s criteria for Level 2. Note the low customer count. FRC’s PMF model is very much targeted at products with a 5 to 6 figure+ Annual Contract Value (ACV):

To make it to the next level you really need to work on Demand and how to generate it. You can grind your way to 20 customers, but you can’t 5-10x that effort and simply keep grinding your way to 100 or 20 customers. 

You need something generating Demand on your behalf.

The most helpful Levers for pushing on Demand are typically fine-tuning your product positioning and finding scalable channels, whether that’s outbound sales, SEO, paid marketing, referral or a combination of these.

Level 3 – Strong

When you’re at Level 3 you’ve basically made it. Demand is inbound and growing. Customers know your name. You’re able to onboard customers with minimal or no customisation while still delivering value they are happy to pay your contract for.

Here’s the criteria for Level 3:

The business is working. To reach the next level you need to focus on Efficiency. Some numbers need to go up – work on getting your LTV:CAC ratio over 3. Other numbers need to go down – reduce your CAC payback time below 18 months. You’re a mature business with processes that work. Optimise them to get to the next level.

Level 4 – Extreme

Everyone knows who you are. Your efforts are spent scaling and streamlining. You’ve found PMF and you’re getting close to addressing your Total Addressable Market (TAM). 

Guess what? That thing you did – create a product and drive it to PMF? Now you need to do that again. And again.

Here are the criteria for Level 4:

There’s no moving beyond Level 4 of PMF. To keep growing you simply need to repeat the process. There are four ways to do this that leverage everything you’ve learned and built:

  1. New features: Add functionality to create fresh use cases.
  2. New product: Sell something different to the same market and buyer.
  3. New market: Take your product to a different sector or market segment.
  4. New buyer: Same product, same market, different decision-maker.

Where to find more

This was a condensed version of First Round Capital’s approach to PMF. You can read the full 13,000 word version here. You probably should. It goes into greater detail, has great examples and interesting interviews with founders on their journey to Product-Market Fit.

As we said, it is tailored to B2B startups with $$$ Annual Contracts, but there’s a lot of quality experience and insight packed into it that everyone looking to found a startup can learn from.