Building Security Culture on Infrastructure Teams

Building Security Culture on Infrastructure Teams

Security is an increasingly important aspect of software development, especially for services that process and store sensitive data.

In rapidly growing and dynamic organizations, infrastructure teams need to balance building features to support product growth and business goals while maintaining a secure platform. At Stripe we believe that security is a collective responsibility, and it’s especially important to closely collaborate with security teams to continually improve the quality of decisions and changes that affect sensitive systems.

In this talk, we’ll discuss strategies for building a culture of security so infrastructure and security teams can each play to their strengths while maintaining high development velocity. We’ll walk through some examples of both how we typically run security-sensitive projects at Stripe as well as processes that help to extend security awareness (and interest!) through the rest of your organization.


Franklin Hu

June 12, 2019


  1. 1.

    Building Security Culture on infrastructure teams (or any engineering team)

    Franklin Hu @thisisfranklin
  2. 2.
  3. 5.
  4. 6.

    Learning & Growth Create a safe space where people can:

    • Build expertise over time • Ask questions • Try things and fail in a supported way
  5. 14.
  6. 16.
  7. 29.
  8. 30.
  9. 31.
  10. 34.

    To conclude... Elements • Responsibility • Learning & Growth •

    Empathy Tools • Rotations • Security Advocates • Tabletops, Gamedays • shipped@, fixed@ • Security Review
  11. 35.

    Thanks! Franklin Hu @thisisfranklin Appendix Daring Greatly: How the

    Courage to be Vulnerable Transforms the Way We Live, Love, Parent, and Lead (Brené Brown) xercises-at-stripe