Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Security Culture on Infrastructure Teams

Franklin Hu
June 12, 2019
Technology
1
400

Building Security Culture on Infrastructure Teams

Security is an increasingly important aspect of software development, especially for services that process and store sensitive data.

In rapidly growing and dynamic organizations, infrastructure teams need to balance building features to support product growth and business goals while maintaining a secure platform. At Stripe we believe that security is a collective responsibility, and it’s especially important to closely collaborate with security teams to continually improve the quality of decisions and changes that affect sensitive systems.

In this talk, we’ll discuss strategies for building a culture of security so infrastructure and security teams can each play to their strengths while maintaining high development velocity. We’ll walk through some examples of both how we typically run security-sensitive projects at Stripe as well as processes that help to extend security awareness (and interest!) through the rest of your organization.

Franklin Hu

June 12, 2019
Tweet

More Decks by Franklin Hu

See All by Franklin Hu
Learning Your 爱比西s: Translating Chinese into Morse code!
franklinhu
0
670
Kubernetes Cron Jobs: Alpha to Production
franklinhu
1
440

Other Decks in Technology

See All in Technology
AWS IAMのアンチパターン/AWSが考える最低権限実現へのアプローチ概略(JAWS-UG朝会#59資料改修20分版)
htan
0
330
エンジニアの生存戦略 〜クラウド潮流の経験から紐解く技術トレンドのメカニズムと乗りこなし方〜
shimy
9
1.9k
AWSサービスメニュー開発をしていてAWSを好きだ!と感じた瞬間
toru_kubota
0
130
地理情報とAPIのトレンド
nagix
0
160
サービス開発を前に進めるために 新米リードエンジニアが 取り組んだこと / Steps Taken by a Novice Lead Engineer to Advance Service Development
nologyance
0
180
CTOから見た事業開発とプロダクト開発 / My Perspective on Business and Product Development as CTO
keisuke69
4
960
テストケースの自動生成に生成AIの導入を試みた話と生成AIによる今後の期待
shift_evolve
0
180
目標設定は好きですか? アジャイルとともに目標と向き合い続ける方法 / Do you like target Management?
kakehashi
10
3k
VPoEの視点から見た、ヘンリーがサーバーサイドKotlinを使う理由 / Why Server-side Kotlin 2024
cho0o0
1
420
dxd2024-生成AIに振り回された3か月間の成功と失敗/dxd2024-link-and-motivation
lmi
2
260
JBUG岡山 #6 WordCamp男木島の チームビルディング
takeshifurusato
0
150
テスト・設計研修【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
170

Featured

See All Featured
Building Adaptive Systems
keathley
34
2k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
353
29k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Building Applications with DynamoDB
mza
89
5.8k
Done Done
chrislema
179
15k
How to Ace a Technical Interview
jacobian
274
23k
Automating Front-end Workflow
addyosmani
1362
200k
A designer walks into a library…
pauljervisheath
201
24k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
18
1.2k
WebSockets: Embracing the real-time Web
robhawkes
59
7.2k
Typedesign – Prime Four
hannesfritz
37
2.2k
Fantastic passwords and where to find them - at NoRuKo
philnash
42
2.7k

Transcript

  1. Building Security Culture on infrastructure teams (or any engineering team)

    Franklin Hu @thisisfranklin [email protected]
  2. None

  3. Image of payments happening

  4. Challenges Building & Maintaining Trust Scaling with Growth

  5. What do we want in our security culture? Learning &

    Growth Empathy Responsibility

  6. Learning & Growth Create a safe space where people can:

    • Build expertise over time • Ask questions • Try things and fail in a supported way

  7. No Shaming.

  8. “Shame erodes our courage and fuels disengagement” – Brené Brown

  9. Learn from mistakes, don’t shame Learning & Growth

  10. Diverse & Dynamic → Disagreements Empathy

  11. Thou shall not use ...

  12. Security is Everyone’s Job Responsibility

  13. ...with shrinking surface area over time Responsibility

  14. What do we want in our security culture? Learning &

    Growth Empathy Responsibility

  15. How do we do this? Practices Environment Process

  16. Practices

  17. Find security-interested people Practices

  18. Rotations! Practices

  19. Security advocates Practices

  20. Environment Fostering a positive culture of learning

  21. Make space for learning

  22. Discussion & Presentation Forums

  23. Tabletops & Game Days

  24. Tabletops Tabletops: Talk through response to a scenario

  25. Tabletops Scenarios can be cross functional: Legal, Engineering, Regulatory

  26. Game Day: What happens if we `kill -9 redis`?

  27. shipped@ / fixed@

  28. security-shipped@ pre-shipped@

  29. Increment

  30. Increment

  31. Processes

  32. Security review? Classic Programmer Paintings, Their First Code Review

  33. Security Review: Context, Context, Context

  34. To conclude... Elements • Responsibility • Learning & Growth •

    Empathy Tools • Rotations • Security Advocates • Tabletops, Gamedays • shipped@, fixed@ • Security Review

  35. Thanks! Franklin Hu @thisisfranklin [email protected] Appendix Daring Greatly: How the

    Courage to be Vulnerable Transforms the Way We Live, Love, Parent, and Lead (Brené Brown) Increment.com https://stripe.com/blog/game-day-e xercises-at-stripe