Episode 810 | The Best A.I. Coding Stack, Shipping Fast, and More Listener Questions (With Derrick Reimer)

Rob Walling (00:00):
Welcome back to another episode of Startups For the Rest Of Us. I’m your host, Rob Walling, and in this episode I welcome Derek Reimer back for another round of listener questions. We talk about the best AI coding stacks, how to balance shipping fast with UI polish, when and how much to think about security and more listener questions. Before we dive into those, I want to make a call for speakers for MicroConf us. You can head to MicroConf dot com slash pitches if you feel like you have an incredible framework, a unique insight, or something else to share with 275 of your favorite bootstrapped and mostly bootstrapped founder friends. MicroConf us is in Portland, Oregon in mid-April, and we are filling out the speaker docket as we speak. MicroComp is unlike any other event I’ve ever attended. We don’t let people sit and pitch their product. We’re looking for great talks from folks who are in the trenches, whether you’re a founder or an advisor or a consultant, a freelancer. If you are working in SaaS or on a topic that can really help SaaS founders and you feel like you can deliver it and you have proven experience on stage that has been recorded at least once, you should add to MicroConf dot com slash pitches. And with that, let’s dive into listener questions with Derek.  

(01:34):
Derek Rimer, welcome back to Startups For the Rest Of Us. Thanks for having me. It’s great to have you, man. I believe this is your 22nd appearance, but who’s counting? I’m really into numbers, so we are going to answer some listener questions. You’re back by Popular Demand. I mean, honestly, not a month goes by that someone doesn’t either comment on an episode you’ve been on or say, Hey, when are you going to have Derek back on the show? And I’m always, pretty soon. Pretty soon. So you’re a fan favorite  

Derrick Reimer (02:01):
Too kind, too kind. I’m honored.  

Rob Walling (02:03):
Let’s dive into our first question. I have a mix today. There were some questions that have just come to the main startups For the Rest Of Us line, but then a couple days ago I posted on X Twitter and said, Hey, Derek’s coming on the show. What questions do you have specifically for him? And the first couple will be along those lines. So Brandon Manson on Twitter asked as a solo founder with a two month old and a three-year-old and two plus hours of commuting per day, I found AI coding to be an absolute game changer for me. I use Claude Code plus GitHub coding agent to do what is essentially spec driven and development. What tools and or workflows are you using?  

Derrick Reimer (02:44):
Two month old, 3-year-old, two plus hours of commuting a day? Oh my gosh. Brutal, brutal,  

Rob Walling (02:50):
Brutal. Yeah, let’s just have a moment of silence for your productivity right now. And they won’t be permanent, but my kids are four years apart, but that’s a lot. AI is going to help you  

Derrick Reimer (03:02):
And it is nice to have AI to help accelerate things, especially when you have those types of constraints. So my current tooling, and I feel like this is always needs to be caveated with the timestamp of, we’re in November of 2025, so this may be completely outdated three months from now, but as of right now, I’m still using Windsurf as my main editor, which is sort of an alternative to Cursor. The only reason I’m using Windsurf is because someone convinced me to give that one a try first and then I’ve just stuck with it. But I think Cursor’s probably a little more popular than Windsurf and they basically do the same thing. They have a little agent panel built in that communicates with the major models and helps you edit your code with ai. So that’s my main editor and I actually don’t use the agent functionality in windsurf much anymore.  

(03:53):
I’ve kind of switched over to Claude code for that. And you can actually install Claude Code into Windsurf or any VS code based editor so that it sort of natively integrates as if you were using the agent in Windsurf or Cursor. And I’ve done that because Windsurf went through a period of time where they were, OpenAI was flirting with buying them, and then Anthropic cut off their cloud access for the best models and then cloud code was coming out around the same time. And it seems like cloud code gets first party access that others don’t because Anthropic is the one that’s developing it. So they build the model and the agent so they’re able to make sure it works really well and they probably give themselves priority on compute and all that. So I use that. But in Windsurf, they still have tab completion type of functionality.  

(04:44):
So as I’m bouncing around, if I put my cursor somewhere in the middle of a code file and I’m thinking about modifying that code about, I don’t know, 60% of the time, it’s able to guess what I want to do and kind of show the auto complete style. Here’s the proposed change and I can just hit tab and accept the change. And that for the longest time didn’t using that type of thing. That was sort of how GitHub copilot worked a couple years ago. That was the main way that you would use GitHub copilot. And for me, it always felt like someone was trying to finish my sentences before I had time to think through what I was going to say and it interfered with my thought process, but these days, the tab completion stuff is getting really good and it feels like it’s reading my mind half the time.  

(05:28):
So that’s kind of my two main tools while writing code, GitHub code has their new plan mode thing, so you can ask it to do something and to make a plan first, and that’s sort of natively built in to the editor, and so it’ll propose a plan and then you can flip it into kind of auto accept edits mode. And so it’ll make changes, run the tests, read the test output, make more changes, and kind of iterate on its own, which is really nice. It used to ask a lot more frequently, do you want me to do this? Do you want me to do this? And I think it’s getting a little bit more refined in its ability to just sort of iterate on its own. So that’s been cool.  

Rob Walling (06:09):
Cool. So it sounds like overlap though with him, like Claude Code seems to be the leader in this space.  

Derrick Reimer (06:16):
I think so. I mean, I will say that I’m, I feel like every week I’m hearing about some new thing that people are using and I’m not one to necessarily jump right on it. I kind of wait to see, okay, it seemed like there’s enough critical mass here where everybody’s talking about this thing. Okay, maybe I’ll give it a try, but I can only allocate so much time to trying out something new and potentially changing my workflow maybe to my detriment, but it’s just moving so fast.  

Rob Walling (06:45):
Here’s the thing, so I think of being an early adopter as either it’s a hobby that I’m doing nights and weekends or I have a day job and I have a bunch of downtime, which I used to work at a credit card company. I was a developer and I had 40, 50 hours a week that I was there. And oftentimes I’d take an hour and just kind of screw around with stuff. If I were running my own company and I was coding on my, I wouldn’t do that, right? It becomes a lost opportunity cost. And so early adopters, it’s the same way we used to build our own PCs, right? I’m sure you remember that. And then at a certain point I’m like, when I became a consultant and I was billing whatever, a hundred donut, 50 an hour, I stopped building my own PCs because an hour of downtime because my graphics card went down, became catastrophic. And this is what you’re in now where it’s like every minute counts and productivity is more important. And so it is that balance of I don’t want to try the new AI model or the new JavaScript library that comes out every week.  

Derrick Reimer (07:42):
The nice thing about these is I found in general a lot of these AI tools, they try to make extremely smooth to adopt. So trying out cloud code, initially it was in the terminal and then at a certain point I started seeing, I don’t even know how I discovered it, but it was like, Hey, do you want to install this into VS code? And I was just like, yes. And then it just did. It was very seamless. So the nice thing is a lot of these tools are, I mean, it’s a land grab right now and they’re all trying to be as easy as possible to adopt. So that has been the nice thing compared to other technologies in the past where it’s like, oh boy, okay, I got to roll up my sleeves and read a bunch of docs and learn this thing. Thankfully, a lot of these things are pretty quick to be able to try out.  

(08:25):
There’s a new one called Tide Wave from, I think actually some of the people behind Elixir Language are working on this, but they’re not just building it for Elixir, they’re doing it for Rails and Python and JavaScript and these different ecosystems. And it gives you kind of two things. It gives you an MCP server for your code base. So I can have Claude Code have some first party tool access to my code base. It can ask Wave to search all the functions that are defined in a module as opposed to it doing a string search. So it has just a little bit higher fidelity and it also knows what packages are installed in my project and can read the docs for those. So it has a direct line to the doc site, so it just helps it be a little bit better at what it does. So there’s that, and then I think they’re also adding a kind of Claude code esque editor in the browser, so it’ll open up your project on the side, have a panel, and then you can ask it to make changes to the page that’s currently showing and it’ll live edit for you. I saw  

Rob Walling (09:30):
Someone demo this. I was really impressed with this. Yeah, I saw it on a YouTube video. I was like, whoa. Yeah, that’s really cool. If you had told me 10 years ago that Microsoft would have the leading one of the leading editors with VS code, I’d have been like, no, no, no, no, no. There’s no way the rails and the open source and the elixir developers are ever going to use a Microsoft product. You remember I always loved Visual Studio back in the day when I was a net developer because it was just so good. Everything was strongly typed and you’d type out your object, hit dot, and then you’d see all your methods and all this stuff. It was just really, really engineered very well. And I know VS code is not exactly that, but when it came out I was like, good luck Microsoft per usual, and then suddenly it’s everywhere. I feel like everyone uses it  

Derrick Reimer (10:16):
And I think the fact that it’s open source, yeah, built on kind of deep open source foundations with Electron and I dunno, it’s like the fact that it’s open source and it’s been able to be forked by Cursor and Windsurf and others to then layer on this functionality has just made it even more entrenched I think, which is kind of cool. There’s interoperability with all the VS. Code extensions now also work in Cursor and windsurf, so it’s a smart strategic play. There’s a lot of jokes out there about how there’s these multi-billion dollar companies that are built on top of a fork of VS code, but hey, I mean it’s a land grab  

Rob Walling (10:54):
That’s open source. Yep. Yeah, so thanks for that question Brandon, and I really appreciate your insights on that, Derek. I know some folks are out there kind of looking for, maybe they haven’t figured out their AI coding stack or maybe they’re just dipping in. It’s helpful to have just a perspective or two in this case from the two of you guys, from folks who are doing it day to day. Our next question is from at j Geek, SEO on X Twitter, and they ask, how does Derrick balance shipping fast with maintaining design polish in solo projects? That daily trade-off fascinates me and I typed out a response to this asker and did not send it and my jokey response was, Derrick does not. He just gives up on the polish. Have you seen how crappy his product was? And then I thought, someone’s going to take me serious. It was a very dry, just a sarcastic dumb thing to say, but I’m saying it here because yeah. Anyways, there we are. That sets you up how you maintain this balance. I want exactly how you do it. Don’t tell me. It depends. If you say it depends. I will cut your mic.  

Derrick Reimer (12:00):
I know these questions are always so tricky. I wish I had a really good answer because yeah, it’s not a formula. It’s like I was trying to think of the best way to characterize it without just sounding, you just have to be awesome at it. But I do think it’s a learned  

Rob Walling (12:16):
Intuition.  

Derrick Reimer (12:17):
Yeah, yeah, just intuition. I really like it’s a learned skill and you have to build up your intuition on when to call it on something, when something is good enough. And I think it does depend on your context. How important is a high degree of polish in this area? I would say not every part of my products are polished to the level that I would ideally want them to be, but every time we’re building a feature, it’s like, okay, we have this dropdown and yeah, it’d be nice if we had all the icons for all the things showing in this dropdown that would look really cool. Is that really that important right here? No. And that’s going to add an extra couple hours to the task and we need to move on to other things. Nope, let’s call it. So I think it’s a never ending series of judgment calls and I think you can kind of refine this over time and build up your skillset around it.  

(13:09):
I’ll also say this is some other practical things as I reflect on how my process has changed over time and how technology has changed over time. These days, UI component libraries have gotten really popular and I didn’t rush to adopt them right away. I was sort of the mind that every element in your app needs to match the aesthetic of your kind of internal design system. So you should just design all your form inputs and selects and check boxes and radio buttons, design all these things from scratch to match your internal design system. And I feel like we’ve sort of moved in the direction where a lot of these things we’re always just kind of looking for them to look basically native. A good default, a good sensible default is like do your form inputs kind of look operating system native. And there’s actually a lot that goes into making a lot of these controls truly accessible following all of the Aria accessibility guidelines and does you have keyboard navigation in your dropdowns and all this stuff that you ideally want to have.  

(14:18):
And there’s not a lot of value these days in trying to re-implement a lot of that stuff. So adopting either a catalyst from Tailwind or Shad CN or Flux or there’s a bunch of these for all the different kind of flavors of front end that people work with. And I started using this in all of my projects and Savvy Cal meetings are the older savvy Cal product kind of has some handbuilt components, but we’re gradually moving over to catalyst components just because it’s like I don’t want to be thinking about styling all of these things. I want to lean on things that people have put hundreds of hours into carefully crafting. And so adopting some primitives that other designers have spent a lot of time on shortcuts the process for sure. And then I think about for higher level components, it’s like having the discipline to say, all right, I built this, say it’s like a filtering UI at the top of a list page and I figured out the structure for this thing and maybe I’ll have other pages where I need filters, having the diligence to extract that into a reusable component. So then the next time I need to go and add filters, I’m not having to think about, alright, let’s duplicate this code over and what’s different about it if you do the thinking upfront when you first design something, then you’ve given yourself the gift of having something reusable later on and you don’t have to spend a bunch of time on it.  

Rob Walling (15:42):
Yeah, the discipline, I like that word discipline. It’s hard to do when it’s like, this doesn’t buy me anytime right now, but my future self will thank me. And then how do you not overdo that because you can, oh, I’ve seen people gold plate their code where everything is super reusable and so that’s again that judgment call of  

(16:01):
It’s just enough. And I think here’s the thing, you have to unlearn. If you’ve worked at big companies and had, again, infinity hours per week to just ship a thing and worked on a big team where you’re working on one piece, you can really gold plate stuff and it’s fine. And I know I had to unlearn those habits when I started building my own stuff. I needed to move it two to three times the speed. And so it’s like, what do I cut? What corners do I cut? There are corners that you need to cut in order to keep your velocity going. And it sounds to me like I would say you have a very, very refined kind of design and ux, like UI taste or editorial eye we could say. And if I were to say, all right Derek, you’re going to design this settings page design and build and code out the settings page versus the main interface to Savvy Cal that everyone sees every day, you would want the main interface to be a nine out of 10 plus nine plus out of 10 and the settings page, maybe you could do a five out of 10 where it is like, eh, there’s some check boxes still.  

(17:04):
They’re not even sliders. And that part is the judgment call, but you have to develop that editorial eye first or that taste right if you don’t know what if you don’t know the difference. There’s people who just will look at a UI and say, I don’t know, is this good? Is this great? Is this a two out of 10? A 10 out of 10 that you also have to develop that. I think  

Derrick Reimer (17:24):
It’s funny how the things that large famous software that we all know, the things they can get away with. You go to the Gmail settings sometime, just take a look at that Catastrophic. Yeah, I was in ’em the other day. It’s still so bad. Yeah, I mean stuff is really tightly packed in there. There’s the save button that’s tiny way down at the bottom, super easy to miss. Just so many things wrong with that. I will say if you’re a newer entrant to the market, making sure you have a reputation of a certain level of quality is often important. Gmail can get away with that because it’s Gmail, but your new app that’s trying to be viewed as credible, you can’t get away with that level of sloppiness. But just to say that, yeah, there’s especially certain parts of your interface, like a settings panel where I think we tend to perfectionists me tend to want to obsess too much over that. And it’s like just keeping that in check. Alright, you can always come back and refine that later. Keep that in your mind. Maybe there will come a time where you have some downtime and it’s like, you know what? I’m going to take a couple hours and make that page much prettier, but is that really the most important use of your time or should you go build another high value feature?  

Rob Walling (18:38):
That’s a good thing to point out. There might be two extremes there where big company interfaces, you say, well, Salesforce and Gmail and whatever, these other big apps, even HubSpot or whoever we could think of, they have really bad interfaces and especially parts of them are clunky. And so I can build a really bad interface too and it’s like probably not, but let’s flip to the other side while I was in Basecamp version three and everything’s polished, just gold plated everywhere. So that’s how I have to be. And it’s like Basecamp has infinity time to ship whatever they want and that’s an amazing luxury that they earned by building Basecamp and they executed well. They got a little lucky, we know they’re doing nine figure or we think they’re doing nine figures of revenue, tens of millions of net profit. They can do whatever they want.  

(19:20):
You can’t do either of those extremes. So if you’re going to model yourself, also don’t model yourself after Apple because they also have infinity resources to do things model after people who are constrained and who have a Derek Rimer, any TinySeed company, maybe some of the indie hackers that have taste. I dunno, we can point to some people, but I don’t like it when people use Steve Jobs as an example of anything usually because you’re not Steve Jobs, you don’t have his resources or his ability. And I don’t tend to like it when people use Basecamp as an example because like you’re not Basecamp guys and if you are great, go do that, but try to be a little more moderated or I guess measured in your opinions and look at other folks who are succeeding as you are as maybe a single founder or a small bootstrap team.  

Derrick Reimer (20:06):
Yeah, because that’s basically the skill. The intuition you’re developing is like resource allocation. That’s what it comes down to. You think about the fact that nothing you do is free because there’s an opportunity cost of what you could have spent that time on. And the more you get that ingrained into the way you think about things, the more you’re able to be at peace with something that’s not perfect, but you’re like, no, but I feel deeply at peace with this because I know that if I spend time on this thing, I’m robbing that time from something else and we can’t afford to spend all that time on stuff that’s low value. So appreciate  

Rob Walling (20:42):
The question Jules, I hope our thoughts were helpful for you. Are you a non-technical founder with solid revenue and real traction, but your technology is holding you back? You should check out today’s sponsor Design Lee. They specialize in helping founders like you who are stuck with messy code, unclear roadmaps, or a dev team that just doesn’t get it. And for listeners of the pod design, Lee is offering their Impact week completely free. That’s a one week no obligation audit where their team dives into your code, your design system, and your product roadmap to show you exactly what’s working, what’s broken, and what needs to happen next. If it’s a fit, you can move on to Solution Lab, a three week sprint where design lead takes over your code base and architects of real roadmap for growth led by a full-time cross-functional team. This isn’t just another dev shop cranking out features. Every sprint is tied to measurable business outcomes so you can scale with confidence and enjoy the process. If your tech is the bottleneck to your next stage of growth, check them out@designli.co slash For the Rest Of Us, that’s D-E-S-I-G-N-L i.co/ For the Rest Of Us.  

(21:55):
Moving on to our next question, it’s from Pablo Fernandez on Twitter and Pablo asks, I have a question for both of you. Do you think with AI we are seeing a shift from market risk to feasibility risk when looking at startup ideas? I used to think, would anyone want this? Where today I find myself thinking, can AI do this yet? What I mean is most idea validation in the startup world, especially bootstrapping has been about quashing market risk. Now I see a lot of bootstrappers that also need to quash feasibility risk and I’m not sure I agree with the terms feasibility implies to me is this feasible to build at all? But I think what he’s saying is almost there’s a weird platform risk that we all are having that AI could just subsume your business market risk. If folks aren’t familiar with that, it’s like is there a market for this idea that I have, Derek and I, you and I could come up with a software that helps people lay out books for printing in paperback and whatever, and it’s like, well I dunno, does that exist already?  

(23:01):
Is there really a need for this? Is the book industry dying customer development? We’d have conversations, should we build this rather than just going off? That’d be kind of fun to build, Hey, let’s do it. But we would want to question, does anyone want this? And in what volume and can we reach them? But what he’s asking is interesting because there are some tools that AI just kind of has wiped off the face of the earth a little bit or at least it’s chomping at their margins. And I think that these days is only getting better. How are you thinking about  

Derrick Reimer (23:32):
This? Yeah, it’s interesting. I was trying to come up with some examples of products that have truly been upended by ai. One that came to mind is Grammarly. I don’t know how they’re doing these days. I know they bought Superhuman, the email editor. I think they’re trying to pivot their company basically because Grammarly, you either type in or you paste in an email or a paper or something you’re trying to write and then it gives you a bunch of suggestions on stuff and obviously LLMs are extremely good at that. So a product like that, yeah, probably sees a lot of threat from LLMs and then there’s, I dunno the bigger question of it’s a whole category going to shift. This was a question for me as a scheduling link provider, are scheduling links just going to be dead? Are we just going to be using AI chat to negotiate times to meet?  

(24:22):
I tend to think stuff is not going to shift as much as people often jump to initially. I still think there’s a place for the user interface that has well-crafted inputs for you to get something done. I still think that beats chat interfaces in many cases. Now, whether you’ll need to incorporate AI into the functionality in order to stay competitive is a different question I think, but completely being replaced by ai. I don’t know. I think there’s still so many things out there because ultimately customers, they still have jobs to be done that they’re hiring software companies to help them do. And I kind of reject the notion that someone said this or this is something that’s just out there in the ether. Like yeah, everyone’s just going to be building their own bespoke software to do things. They’re not going to pay for SaaS anymore. And I’m like, that’s they’re not complete bs.  

Rob Walling (25:19):
Yeah, that’s not going  

Derrick Reimer (25:20):
To happen. No, I still need team communication software. I need a calendar, I need project management tools, I need an email client, I need a CRM, I need error monitoring. I’m not going to build any of this stuff myself just because I may have some specific requirements or I’m not so happy that Honey Badger doesn’t do this thing, so I’m going to ask AI to build an entire error monitoring system for me and then I’m going to maintain that infrastructure and host it myself. And no, that’s not going to happen. So I think yeah, SaaS is not anywhere close to dead because of ai. I don’t think that’s what Pablo is saying, but I’m just making the point that I think there’s still a ton of opportunity to automate things with software and sell it on a subscription basis. But I think the question of how much is an industry going to move because of the way that people are now relying on ai, I brought up the calendar link example, I don’t know, a lot of this stuff is to be determined. We’ll see how the lines are drawn around, how much does chat GPT itself become the level of influence that Google is in people’s lives where some businesses that maybe were standalone before would have to be become a chat GPT plugin because that’s where everybody’s going to do a certain job or something. So I think it’s hard to know where to draw the boundaries around products, but I don’t think opportunities to build new software is vanishing.  

Rob Walling (26:46):
Yeah, I would agree. The way I think about it, and admittedly I haven’t given this particular question a ton of thought, but seeing Pablo’s question made me think about it and the examples that I could think of, I went down the same exercise of how many apps, Salesforce is not going away. It’s going to change and we could build a different Salesforce from scratch right now or a different CRM with AI first, blah blah, blah. We could build a different one and maybe in the long term that subsumes it, but it’s not like Claude or Jet GPT or any of these other models are just going to do everything that it can. But the place where I think the apps that I think have been or can be pretty easily replaced by AI are these apps that are more utilities where it’s almost a single feature.  

(27:30):
Alright, so let’s talk about if you had an app, and there are some out there where you, you’d go in, you’d type in your URL and this is pre AI and it would help you generate a bunch of images and ad copy for Facebook ads and it would do it and it had a big library and it would pull ’em together. It’s like it’s kind of a single feature, but it doesn’t mean it wasn’t important. I think AI, just as we know, just can do that really well these days and probably at a higher level. So unless they really integrate AI into that app, and even if they used to charge 20, 30, $40 a month just for that, and I’m paying $20 a month for chat GBT and it can just kind of do 80% of that, then it’ll kill it, right? I think back to hit tail, which was a single feature, all it was was for those who don’t know, you installed a snippet of JavaScript on your website.  

(28:21):
It looked at your search engine traffic. Well later on after not provided it actually had to hit the, what was it, Google search console or something like that, but it then looked at the keywords people were already finding you for, but you didn’t rank on the first page four and it would recommend these keywords that you should probably target these a bit more. You have a high potential to rank for them. Well, couldn’t you just download a CSV now put it into JGBT, do the exact same thing because it’s a single feature. There was nothing beyond that. And that I think is a big differentiator, at least in my simplistic view right now, is if your app is a single feature, the beauty of app being a single feature is the development can be done, it can be done. These are great indie hacker lifestyle, step one, step two businesses.  

(29:06):
You don’t have to constantly build an add and compete. But the danger there is that I think those are the big ones that boom, AI can swipe. I mean, I met people at MicroConf who had a guy built a half a million dollar a year business. It was at MicroConf Europe several years ago, and it was converters, it was like a PDF to JPEG online converter or an MP three to some. That’s all it was, was a utility to do that. And of course the world needs that and he ranked number one in Google for a bunch of these terms. Do you need that now? It’s that type of thing. And if you have simple ideas like that that are all these like, Hey, I’m just going to do this one thing and I’m going to create headshots for you and charge for it. It’s like, well, AI can do that.  

Derrick Reimer (29:46):
Yeah, I think those are cases where you could still potentially make something work by getting the distribution and being really good at marketing. It’s like the companies that are going to start a new canned water or something, it’s like, okay, bottled water has been done over and over again. So it’s just purely a marketing play. It’s purely a let’s get this in front of people in the right spot and there’s something else there that’s just unrelated to the level of commoditization that the product has that gets them to buy. And I think pre AI was, I guess you could try to make technology more defensible. You could say, well, there’s some special sauce here and we do some good marketing and now it’s a certain class of software, it’s so easy to replicate with AI or just like Chachi Boutique can just do it. So then that makes you have to have a high degree of skill on marketing and messaging and getting stuff in the right place in front of your potential buyers. And it skews the strategy there for sure.  

Rob Walling (30:49):
Yeah, and the other thing to think about, I like what you said, it’s basically like distribution because there will always be consumers, there are a lot of consumers these days. If my mom wanted to add captions to a video, she would just go to Google and type in how to do that. She doesn’t use chat GPT, and so she’s going to go to the top result, which is probably V do io if I know them, they’re really good at this type of SEO and if she wanted to get headshot, she would use headshot AI instead of using you, and I would just use an AI tool, right? A dolly or whatever to do it. So there will always be some of that, but it really also depends on, look, are you trying to build a 10,000, $20,000 a month lifestyle business that’s kind of on autopilot or you’re trying to build a multimillion dollar SaaS?  

(31:36):
It does depend on your goals. So thanks for that question, Pablo. Appreciate you sending it in. Our last question for the day comes from Daniel Huon. He has sent in many questions to the show over the years, and he had a question about security. He said, Stelli mentioned security in episode 766, and I’m curious how much of an existential risk security is in a business that’s doing let’s say seven or eight figures, and what’s the appropriate amount to be concerned about as the business grows if founders are only thinking about things after they happen? I’m curious how much time, effort, and energy folks should be putting into this thought process. And look, Daniel brings up some other points. It’s not just penetration testing or cross site scripting, but if you have 10 employees and there’s phishing attacks, I get phished with TinySeed specific where they will send it to an email address and say, and make it look like it’s from me and say, pay this invoice and attach a PDF to a fake thing.  

(32:51):
And it’s really obvious that it’s fake, but I always have to chime in and be like, this is fake. Don’t believe this. So there’s phishing, there’s all kinds of stuff like this and you can buy, there’s software and there’s training to help your employees not get phished. But really the question I think is around, and maybe it’s two questions, maybe it’s application and tech security and then it’s the social engineering type. How do you educate your employees and how much time should we spend thinking about this as founders at what stage? So with that very broad question, I’m going to pass it to you.  

Derrick Reimer (33:24):
I mean, I haven’t thought a ton about the social engineering side just because I’m generally in a really small context where it’s not that it’s impossible for someone to try to do it, but the likelihood of it succeeding is low. I think if you’re a 10, 50, a hundred person company, the risk starts to go up as you have just more people, more chances for people to get scammed and stuff. So I think like you said, there’s training software and software that will fish people to try to use it as an education tool intentionally. So I think there’s services out there that will help with that. When’s the right time to adopt those things? I don’t think I have a well calibrated judgment barometer on that. It is probably earlier than a lot of people think that it is because I think we just tend to be idealistic and think like, well, that’s a big company problem, and it’s like it can probably kick in at a smaller stage than you’d be comfortable with. So I don’t know if you have a sense before I go any further, do you have a sense on that? What’s the right size when you’d start thinking about actually paying for something to help your team not be exposed to phishing attacks?  

Rob Walling (34:37):
I have, and it depends because I think it does depend on the industry that your app is in. So if you are a FinTech, I think you need it probably from day one and maybe from a SOC two or an ISO 27 0 0 1, like those compliance frameworks, I might implement something at that point if I was going to get those. If you’re FinTech, if you’re in crypto, if you’re in any type of finance, if you’re handling people’s money payment processing, if you’re where there’s a real vector for someone to do harm and to transfer money, big sums of money of client money out, I think you have to have crazy lockdown pretty early. If you’re building a utility for SEO keywords or for AI headshots and your team is 10 people, I mean, I don’t know. Yeah, it would suck if someone got phished and they got your credentials and whatever, they took your server down or something, but the risk there is a lot lower.  

(35:34):
So I do feel like it relates to for it’s headcount that it relates to, because that’s the vector, right? It’s like I could be doing $10 million and if it’s just you and I, I’m not paying for it. I know that it’s when we get to, what do you think, 15, 20 employees, 25, 30, there’s some number in there, it’s not 50, it’s below that for me and 10 feels safe, 10 feels fine, but I will say TinySeed MicroConf 11 people and we get phishing stuff all the time. And so we’ve had to talk to our team about it and make sure they’re savvy. I think it also depends on the savviness of your employees. If you have a call center, let’s say you had three or four people who are making 12 bucks an hour answering phones versus everyone is like a developer or a product person or just a more, I dunno, a tech savvy person who’s on computers all day and is really aware of it. I think there’s kind of a judgment call there, but I do echo your thought that it’s probably way earlier than we think and way earlier than we want to. How about that?  

Derrick Reimer (36:35):
Yeah, totally. And I think the same holds true for the kind of application side, making sure your code base is not vulnerable to abuse. So the next point I was going to make is that if you have any kind of service exposed to the public internet, bad actors will try to abuse that system in some fashion at some point. It’s just inevitable. They can find your website by scanning IP addresses and looking for servers. So even if you don’t have much SEO going on, they’ll find your service if it’s exposed on a port publicly. And there’s a bunch of different ways that people try to abuse systems. They try to do card testing if you have some kind of checkout page to see if stolen credit cards will go through. If that happens a lot on a page that is yours, it can get you in trouble with your payment processor and interfere with that.  

(37:31):
They can try to send spam of any kind through any place where your application kicks out, email that takes user supplied content. This is why you’ve probably noticed those emails that you get that are confirm your email address after signing up for a service usually has almost no information in it because that’s a very common one. It’s the first email that gets kicked out from a system. So if someone can sign up for your service with an email address that they want to send spam to and then inject spammy content into the name, then when it says hi insert name, confirm your email address, it’ll be like, hi, Viagra, Bitcoin, whatever. And so any place where your app kicks out emails or confirmation emails invites, invite a team member, well that sends an email and that’s an opportunity for spammers to abuse it. Anything that you have public facing, like Savvy Cal has profile pages and we’ve had people try to use our profile pages to link out to pirated movies on some BitTorrent site just as a way to host a public website that links to this thing.  

(38:39):
So I think in general it’s important for developers to always be thinking, getting in the mind of a spammer, how could this thing possibly be abused? And I have some general tips that I just sort of jotted down based off of what I’ve done with Savvy Cal and just other apps over the years. First one is put rate limits on everything. Most things in your app don’t need to happen, be able to happen a hundred times a minute from the same user or same IP address. So ideally you have some kind of, whether you use a third party service that sort of sits as a firewall or you do it at your application layer inside of your code base. There’s a lot of middleware libraries in most ecosystems that you can put into your request processing pipeline and you can just say, okay, this endpoint where someone can send an invitation, how many invitations should they be able to send per minute or per 10 minutes or per hour and just set it somewhere that’s at a reasonable level.  

(39:37):
So that backstops you from someone writing a little script and suddenly they’ve kicked out 10,000 invites to spammy email addresses. I think limiting capabilities before someone pays for your, so if you have a trial experience or you can sign up and you can look around before you upgrade to paid, make sure that you limit things as much as possible. The less people can do, the better. That’s one of the hidden costs of having a free plan is you have to deal with potential abuse because you’re allowing full capabilities of your product without a credit card, which is just a nice deterrent layer. People can obviously steal credit cards, but you can’t do it at the same scale. I like to, well have an easy way to block or ban IP addresses. So if you see something bad happening from an IP address, being able to within a minute just immediately block it to stop the bleeding is good.  

(40:29):
Being able to easily ban an account, have a button in your admin interface that’s like, okay, this person is a spammer, block ’em immediately to shut ’em down. And I just also have various channels that I have a feed that’s like anyone who signs up for savvy their email address and names show up in this feed and I can just sort of dip in there and keep an eye on stuff. If I see a big batch of signups come through and they’re all from Russian email addresses, like, okay, that’s a little bit of a red flag, I might take a peek at what’s going on there. And you could start to spot some of these things, which ideally you would have automated systems to catch it, but sometimes just having a human eye is what’s needed in order to figure out what’s the signal here.  

(41:11):
And then if something does start to become a recurring pattern, then you can implement automated things to monitor for that signal. But it’s kind of hard to know universally what are the different vectors that you’re going to experience. I think having some feeds where you can keep an eye on stuff like keeping an eye on web analytics if you have a huge spike in traffic, something to look into if you have a huge spike, if your spam rates spike in your transactional email sending, you should be keeping an eye on that. So just the core metrics of the leading indicators when something’s going wrong and just keeping an eye on those.  

Rob Walling (41:51):
All that sounds great and that’s a nice balance of not gold plating it or overdoing it. These are kind of sensible things to bake in from the start. It’s not so much extra effort. Obviously you could go five times as restrictive or as secure and if you were building military grade software for going to war or whatever, you would have a lot more. But this is a really nice baseline. I like the way to think about that and it’s a lot about outliers, like you said. It’s like, oh, you monitor if this spikes, if that spikes just have something throw up an alert and you can go in and you’re either going to be pleasantly surprised like, oh, hey, we just had a really big customer send a big thing and we’re going to make more money this month because of it. Or we are presently being hacked and we need to figure out what to do.  

(42:33):
So it’s always a balance. These are the really, I think, challenging topics where it depends on the industry, it depends on exactly what kind of software you’re building like we’re saying. But it also depends, I think on, it’s kind of like how big of a vector you have. Meaning when you just start out and you have 10 people coming to the website a month, it’s just nothing’s going to happen. But there will hit a point where you have 10,000 uniques, a hundred thousand uniques, whatever it is where you get noticed on the internet. And then once that happens, you usually wind up on some type of list somewhere on the dark web and people really start coming in. And so having the basics kind of tied down or dialed in I think is good because there’s always going to be, no matter how much you do upfront, they’ll always find another vector and that’s when you just have to start figuring out how to plug those other holes as well.  

Derrick Reimer (43:25):
Yeah, that’s where stuff like rate limiting, it doesn’t prevent people from doing any kind of spam, but it hopefully just mitigates the level of damage. So when you’re just putting a hard cap on how much volume, because that’s really the worst thing. It’s like if someone does figure out some vector and then you wake up in the morning and they’ve sent 150,000 spam messages and now your transactional bill is a thousand dollars and you’ve been blocked because you’ve exceeded your spam rates, that’s when stuff really gets into a bad place. So if you’re just mitigating volume, that can go a long way in just capping the bleeding.  

Rob Walling (44:06):
Yeah, that’s a good way to think about it. Derek Rimer, thanks so much for joining me on the show. Again, you are at Derek Rimer on Twitter and of course savvy if folks want to check out the best scheduling link on the internet, but it’s not just scheduling for meetings, it is also scheduling for appointments. And do you want to give folks an idea of what’s going on with the appointment side?  

Derrick Reimer (44:30):
Yeah, so I’ve teased about or talked about this on the show before, but yeah, avial appointments new product line from Thesal team. And with this product, we’re really trying to be sort of an infrastructure layer for businesses that need to build in custom scheduling flow into their existing stack, whether it’s like a medical clinic that needs to take initial consultations through a custom form, and as part of that, they need to present time slots for the providers in the office who can be on rotation to take these appointments. That’s just one example. We’re looking at kind of platform level integrations where if you want to offer sort of appointment scheduling in a box for your CRM product, we could potentially be your partner for that. So I think there’s a lot of opportunity here to take some of our best learnings from building Savvy Cal the meetings scheduling product and apply it to sort of these more custom setups where people need scheduling capability, but you don’t want to build everything from scratch. So that’s what we’re playing in.  

Rob Walling (45:35):
So if you’re either an agency freelancer and you are building this for, as you said, medical clinics or other appointment scheduling type businesses, you should reach out to Derek. Or if you have a product like you said, A CRM or any other thing where you’re thinking about this, you can hit him up at D-E-R-R-I-C k@sical.com. Thanks again for joining me, man. Thanks so much to Derek for taking an hour out of his day and coming back on the show. It’s been great having you here listening to this show, whether it’s been one week, one year or 10 years. Thanks for listening this week and every week. This is Rob Walling signing off from episode 810. If you’re listening to this, you made it to the hidden track. This is where I ambush Derek without any prior notice. He thought that we were going to dive into listener questions and in fact, we are diving into questions about one of his favorite streaming shows selling Sunset. So I have confidential informants around the world.  

Derrick Reimer (47:26):
Oh my gosh.  

Rob Walling (47:27):
And I ask them about my guests and Derek, somebody outed you. My  

Derrick Reimer (47:31):
Guilty pleasure has been  

Rob Walling (47:33):
Exposed fan telling sunset Seasons one through four only I’ve been told. And if folks haven’t ever heard of or seen the show, do you want to give them a 32nd overview of what it is it? I think it’s on Netflix.  

Derrick Reimer (47:47):
It’s on Netflix, yeah. Yeah. I’ve kind of gone up and down on different types of TV shows that I like to I hear you couching  

Rob Walling (47:58):
This. Are you trying to justify it  

Derrick Reimer (47:59):
Already unwind with, okay. And I do like me some real estate. It’s always fun to see fancy houses and great views and all that kind of stuff. And I’ve also discovered that I find a little bit of reality drama is sometimes just a fun way to disconnect from real reality. And so I would say selling Sunset and the similar types of shows are about 80% reality drama, 20% real estate. I think you’re just following along the lives of these people who have strong personalities and interesting interpersonal dynamics like any reality show and with a little bit of luxury real estate sprinkled in  

Rob Walling (48:48):
And you’re like, Ooh, nice house. Oh boy, here’s the argument again. Why are they breaking up or getting married again or whatever.  

Speaker 3 (48:55):
Yeah.  

Rob Walling (48:55):
Alright, so I have a few trivia questions for you. Seasons one through four only I’ve been informed that you’ve seen and tried, make them not  

Derrick Reimer (49:05):
Still plow my way through it.  

Rob Walling (49:07):
I think there are nine seasons when I researched it, I’m like, I’ve never even heard of this show. What is this? Well, that’s  

Derrick Reimer (49:12):
The other thing I like sometimes when you can just get into a storyline and then there’s just a lot of meat on the bone there, you can just sit with it for a while. It’s kind a bummer when you start a show and it’s like, oh, nine episodes and then it’s done and you’re like, great.  

Rob Walling (49:27):
And it’s a bummer to sit down every night and be like, well, what do you want to watch? I don’t know. What do I want to watch? And if you know you’re into something, you just roll with it. You  

Derrick Reimer (49:35):
Can just dip back into the stream, catch a little bit of entertainment and dip back out.  

Rob Walling (49:41):
Alright, so these questions are going to be an increasing order of difficulty, I’m guessing, of all the listeners, there’s like two that have even heard of this show. So it’s what is happening right now. Alright, starting with the easy question. What Los Angeles based real estate brokerage is featured in selling Sunset? The  

Derrick Reimer (49:59):
Oppenheim Group.  

Rob Walling (50:01):
Alright, very nice one for one. A hundred percent. Which cast member was known early on for her bold fashion choices and frequent drama with coworkers.  

Derrick Reimer (50:12):
It’s got to be Christine,  

Rob Walling (50:14):
It is  

Derrick Reimer (50:15):
Christine Quinn. Oh yeah, she’s the villain. She’s the villain.  

Rob Walling (50:22):
Do they make her out to be the villain or is she kind of actually the villain?  

Derrick Reimer (50:25):
Here’s the thing, I don’t know how much, I don’t really know what goes on behind the scenes of these reality shows and how much the producers are stoking the drama or telling this person like, Hey, you should come in really hot into this argument. So I don’t know how manipulated it is, but boy, she sure seems like a villain just in her natural personality.  

Rob Walling (50:45):
Yeah. Alright, so far, two for two. Before joining Real estate, which selling Sunset Agent was a soap opera actress on Days of Our Lives  

Derrick Reimer (50:55):
Was Oh, oh, was that Kelle?  

Rob Walling (50:58):
It is Kelle. STAs. STAs,  

Derrick Reimer (51:02):
Yeah. Yep.  

Rob Walling (51:03):
All right. Three for three. Brett Oppenheim eventually left the Oppenheim Group to start his own firm. What was it called?  

Derrick Reimer (51:15):
Oh my gosh, I don’t think I’m there yet.  

Rob Walling (51:17):
What? Jesse alert. I’m so sorry. Oh no, this is brutal.  

Derrick Reimer (51:22):
That’s alright. You  

Rob Walling (51:23):
Spoiler of a reality TV show. Yeah,  

Derrick Reimer (51:27):
I do occasionally look up something. There’s a lot of tech gazillionaires that end up showing up on this show. Someone’s dating some guy who’s shopping for a $60 million house. And of course, nine times out of 10 it’s like, I made a bunch of money in tech. So I’ll go look him up, like, who is this guy? Have I heard of his company? Then I often will just get numerous spoilers in the process of trying to figure out some detail like that.  

Rob Walling (51:51):
Yeah. Oh boy, that’s coming up. That’s what you have to look forward to, dude.  

Derrick Reimer (51:55):
Yes.  

Rob Walling (51:56):
Okay. Alright. You got three for three? Let’s do one more. Hopefully this is, I mean, maybe any of these are spoilers at this point. I said Chad GT one, four. Are you done with season four or you just in the middle of it?  

Derrick Reimer (52:06):
I guess I could be partway through season four. I honestly don’t remember.  

Rob Walling (52:11):
Alright, let’s try this one. Which agent joins the cast in season four and becomes a central figure in the conflict involving Christine and the alleged bribe situation,  

Derrick Reimer (52:22):
Bribe situation.  

Rob Walling (52:25):
I wonder if this is also a spoiler.  

Derrick Reimer (52:29):
I’m trying to think. That could be construed. Is it Vanessa? It’s not Vanessa.  

Rob Walling (52:34):
Someone named Emma.  

Derrick Reimer (52:35):
Emma. Emma, yeah. Yeah, yeah. Okay. Yeah, I don’t know if I’ve heard about the bribe, but maybe  

Rob Walling (52:40):
That’s, see this is, ah, all right, well let’s try one more. We’re going to throw that one out. Last one. This is season three. According to chat, GBT, this is your last, so you’re three for three in season three. What made event in Chelle’s personal life becomes a major storyline and affects her relationship at the brokerage?  

Derrick Reimer (52:56):
Okay. She got a divorce and then she started. Okay. Alright. And then she’s dating the owner of the brokerage right now, which was very shocking to see. Yeah, Jason, the Forever bachelor, Jason. So we’ll see how that plays out.  

Rob Walling (53:14):
Alright, well yeah, you truly do know a shocking amount about this show. Much. An embarrassing amount. This is a little creepy. Is there any way, yeah, you could dial down that brain section and maybe know a little more about, I don’t know, espresso  

Derrick Reimer (53:33):
Or So, dude, I was hoping you would fail this just for your own integrity’s sake. I kind of  

Rob Walling (53:39):
Was a little bit, everyone, you were being so judged by tens of listeners who have stuck with us this far.