To build a digital business, you will want to apply DevOps practices to any custom code you build from scratch and put into operation. If you create API integrations with cloud services, you will want to apply that same discipline to your integration code. But what about the management of software-as-a-service, or SaaS, applications?

The SaaS business applications you tap to handle sales, marketing and financial management functions tend to be managed separately and manually, each with its own configuration dashboard. Understanding the complete state of these systems and whether they are in compliance with corporate policy and regulatory requirements can then involve hunting through dozens of settings screens—which is why there is a market for management tools that address complex cloud software stacks such as Salesforce.

The bigger challenge comes if you want to manage Salesforce and Netsuite and HubSpot and Zendesk, as well as the connections between them. That’s the only way to know if the configuration change you made in one will impact the operation of another.

Given that SaaS business applications have become such a major part of digital business, and customizing the configurations of those apps is a lot of the development work IT departments do these days, that’s a pretty big hole.

Eliya Elon was convinced there had to be a better way. Hired in early 2020 as VP of business operations and analytics at security threat monitoring firm IntSights, he had the idea that in an everything-as-data world, a business app’s configuration ought to be just another data set in the corporate data warehouse to be analyzed and optimized.

Elon sees an even bigger need now that IntSights is part of Rapid7, a significantly larger cybersecurity company that made him senior director of business operations, with a focus on revenue operations. “Being part of a bigger organization, with more depth, more operations, more things to do, the challenges just get multiplied,” Elon says.

A product manager before he turned to operations, Elon figured, “somebody has to be working on this.” He asked around until he found Salto, a configuration service that can fetch the configuration data from multiple SaaS applications and store it in a common configuration script format that can be tracked in GitHub, edited with the help of a Visual Studio Code extension and pushed to a SaaS app—with an audit trail for changes and the option to roll back changes, if necessary.

That last point is key to allowing a business to move faster, Elon says. The need to roll back changes doesn’t come up that often, and if it does, “It’s usually not that bad,” he says. “I think what’s more important is the psychological effect of knowing they can go back reduces hesitancy. Knowing you can go back allows you to move faster.”

Gil Hoffer, co-founder and CTO at Salto, says the company’s goal is “allowing modern businesses to manage business applications with tools and methodologies similar to how DevOps is being managed.” The way business applications—by which he means SaaS applications—are managed today “is more similar to the way software was developed in the 1990s, very manual and error-prone.” Even as businesses seek the simplicity promised by SaaS as they take on “tens or hundreds” of these applications, they discover many requirements for custom configuration.

By Hoffer’s own assessment of the scope of the problem, Salto is providing only a preliminary solution, with support for just a handful of platforms, not “tens or hundreds.” On the other hand, the SaaS applications Salto has started tend to be those that make cash registers ring or help with customer service and money management. They include Salesforce, Netsuite, Hubspot, Workato, Zendesk, Zuora and Stripe.

In other words, it’s a good match for the needs of leaders focused on revenue operations and the business part of business transformation.

Just a couple of years old, Salto hopes to engage SaaS platforms in meeting halfway on integrations. The core technology, including the NaCl data format and a command-line interface for fetching and pushing configurations via SaaS service administration APIs, is published as open source. In doubly nerdy language, NaCl stands for “Not Another Configuration Language” and is the chemical symbol for salt, a twist on the company name. NaCL is an extension of HCL, a configuration language HashiCorp promotes to help cloud services providers with own internal operations.

NaCL is machine readable but also fairly easy for a human to read, using JSON-like formatting. In its commercial incarnation, Salto adds low-code tools that allow users to click on the reputation of a configuration object, make changes to it, and save it back to a text representation that is easy to audit, track and share.

Hoffer says the toolset doesn’t necessarily replace the admin UIs built into the SaaS applications themselves, but changes made that way can be fetched and reconciled using source control techniques. “Now everything is bi-directional,” he says. The system can also be used for planning and impacting analysis, Hoffer says; for example, showing how a change made in Netsuite will affect other software that connects to that system object.

Making this easier, most popular SaaS applications offer robust administration APIs “and some offer almost perfect coverage,” Hoffer says.

At Rapid7, the Salto implementation so far is only part of the IntSight division, but Elon has been talking it up to the CIO as part of his broader vision modeling business operations in code. “I’ve been appointed to lead the integration of the businesses, and there’s a huge appetite to use this as a blueprint and integrate it into Rapid7.”

In addition to speeding business application development, the benefits extend to compliance and auditability, he says. “Everything is just a script. You capture the script in Jira, which is how you do change management and lets you prove to your auditors how you’ve maintained control.”

Is configuration management a CIO-level issue? Elon says it is, or ought to be. “The stress and number of requests from the CIOs to act as builders have increased ridiculously,” he says. And while CIOs want to take maximum advantage of standardized software and SaaS services, they also have a need to distinguish themselves from the other businesses taking advantage of those services.

His example? Using Salesforce, but also a custom extension that fed in data from IntSight threat intelligence scans of prospective customer websites. The idea was to give salespeople a conversation starter—some information to offer for free, like a citing of an executive’s personal information on the dark web—as a way of adding value to a sales meeting. “I could never find something off-the-shelf that does that for me.”