Building Security Culture on Infrastructure Teams

Building Security Culture on Infrastructure Teams

Security is an increasingly important aspect of software development, especially for services that process and store sensitive data.

In rapidly growing and dynamic organizations, infrastructure teams need to balance building features to support product growth and business goals while maintaining a secure platform. At Stripe we believe that security is a collective responsibility, and it’s especially important to closely collaborate with security teams to continually improve the quality of decisions and changes that affect sensitive systems.

In this talk, we’ll discuss strategies for building a culture of security so infrastructure and security teams can each play to their strengths while maintaining high development velocity. We’ll walk through some examples of both how we typically run security-sensitive projects at Stripe as well as processes that help to extend security awareness (and interest!) through the rest of your organization.

37c3b62c818038a84bef21a78a126eec?s=128

Franklin Hu

June 12, 2019
Tweet

Transcript

  1. Building Security Culture on infrastructure teams (or any engineering team)

    Franklin Hu @thisisfranklin franklin@stripe.com
  2. None
  3. Image of payments happening

  4. Challenges Building & Maintaining Trust Scaling with Growth

  5. What do we want in our security culture? Learning &

    Growth Empathy Responsibility
  6. Learning & Growth Create a safe space where people can:

    • Build expertise over time • Ask questions • Try things and fail in a supported way
  7. No Shaming.

  8. “Shame erodes our courage and fuels disengagement” – Brené Brown

  9. Learn from mistakes, don’t shame Learning & Growth

  10. Diverse & Dynamic → Disagreements Empathy

  11. Thou shall not use ...

  12. Security is Everyone’s Job Responsibility

  13. ...with shrinking surface area over time Responsibility

  14. What do we want in our security culture? Learning &

    Growth Empathy Responsibility
  15. How do we do this? Practices Environment Process

  16. Practices

  17. Find security-interested people Practices

  18. Rotations! Practices

  19. Security advocates Practices

  20. Environment Fostering a positive culture of learning

  21. Make space for learning

  22. Discussion & Presentation Forums

  23. Tabletops & Game Days

  24. Tabletops Tabletops: Talk through response to a scenario

  25. Tabletops Scenarios can be cross functional: Legal, Engineering, Regulatory

  26. Game Day: What happens if we `kill -9 redis`?

  27. shipped@ / fixed@

  28. security-shipped@ pre-shipped@

  29. Increment

  30. Increment

  31. Processes

  32. Security review? Classic Programmer Paintings, Their First Code Review

  33. Security Review: Context, Context, Context

  34. To conclude... Elements • Responsibility • Learning & Growth •

    Empathy Tools • Rotations • Security Advocates • Tabletops, Gamedays • shipped@, fixed@ • Security Review
  35. Thanks! Franklin Hu @thisisfranklin franklin@stripe.com Appendix Daring Greatly: How the

    Courage to be Vulnerable Transforms the Way We Live, Love, Parent, and Lead (Brené Brown) Increment.com https://stripe.com/blog/game-day-e xercises-at-stripe