Why OpenFn Dedicates Monthly All-Hands to Cybersecurity

When you're building Digital Public Infrastructure (DPI) to handle government payments, healthcare records, and humanitarian aid delivery, security isn't just a developer concern, it's everyone's responsibility.

At OpenFn, we describe ourselves as secure, stable, and scalable… in that order. Security comes first not only because it’s important but because it influences how we think about everything else. Some organizations approach security as a technical checklist: secure code, vulnerability patches, penetration testing. These matter, but they miss a critical reality: the security of a Digital Public Good (DPG) depends as much on organizational practices and culture—the “security posture”—as it does on code quality. A perfectly secure codebase means little if team members fall for phishing attempts, use weak passwords, or mishandle sensitive credentials.

That's why OpenFn dedicates half an hour every month to an all-team security stand-up. Not just developers. Everyone. From engineers to implementation specialists to our sales team. This isn't standard practice in the industry, but it reflects how we think about our responsibility as stewards of DPI.

Security Beyond the Code

DPGs like OpenFn serve populations that can't afford security failures. When a health system relies on OpenFn to route critical patient data between facilities, the stakes are real and the margin for error is zero.

For this reason, OpenFn has undergone a full security review by the UNICC (UN International Computing Centre) to meet UNICEF Class-I security standards. It is the highest level of security requirements designed for ICT organizations that handle confidential information critical to UNICEF operations, and focuses on the org-wide security program.

While a focus on encryption, access management and secure API design is necessary, it is not sufficient. Security breaches rarely happen because of sophisticated code exploits. They happen because someone clicked a malicious link, reused a password, or didn't recognize social engineering.

For organizations building and maintaining DPGs and DPI, security must extend across the entire team and every operational practice. The person managing client communications needs to recognize phishing attempts. The finance team needs to understand business email compromise tactics. The deployment team needs to follow secure credential management protocols.

This is what sets OpenFn apart: we don't just build secure software. We operate as a security-conscious organization.

A Conversation with Mtuchi: Building Security Culture

We sat down with Emmanuel Evance, more affectionately known as Mtuchi, a software engineer at OpenFn who’s currently serving as “MC” for our monthly security stand-ups, to understand why this approach matters and how it works in practice.

What does a typical monthly security stand-up look like?

Mtuchi's response: The agenda usually starts by following up on action items from the previous meeting then goes through any new incidents, security news, vulnerabilities detected in common software dependencies, or scams that team members have heard of or been targeted with. These could be anything between phishing email, spam emails, hacks, and so on.

Why is it important for the entire team to participate, not just engineers? What security risks exist beyond the codebase?

Mtuchi's response: Non-technical team members face real security risks too. A recent example is the phishing email that led to a supply chain attack in most of the widely used npm packages. Even though the author of those npm packages is a technical person, he got pwned. So the security standup is really a safe space where you can share and learn different best practices on staying safe online. We work with different organizations who trust us to handle sensitive information like personally identifiable data so it’s crucial to learn safe security measures when dealing with such information.

Can you share an example that resonated across the team?

Mtuchi's response: A partner organization was recently hacked by a phishing email. The attacker used the compromised email account to spread more phishing emails to the list of employees and partners they exported through the compromised account. This was a good reminder that social impact organizations are not immune to targeting, and that we should all be on the lookout for suspicious emails. Watch for red flags like unexpected attachments, unexpected links, and a sense of urgency—attackers often try to create a panic.

Are there security considerations unique to DPGs and DPI that make this whole-team approach even more critical?

Mtuchi's response: Yes. Building trust in government is a critical part of building a functioning society, so the stakes for DPG/DPI work are much higher. A security failure or even a service shutdown is a really big deal because it can cost lives, or erode trust in public institutions. For DPG/DPI providers, security awareness can't be siloed in engineering.

There are a number of things we do to ensure everyone working on a DPI implementation is prepared. One example is our internal OpenFn IT Security Training. Every new hire goes through this program and covers different topics like how to handle security breaches and security considerations for OpenFn projects. Another is in the feature-set of the platform: we built OpenFn to be able to handle different data storage requirements, especially for projects with strict compliance regulations like GDPR, HIPAA or the need for zero-persistence data pipelines. Learn more ->https://www.openfn.org/compliance

Why This Matters for the DPG Ecosystem

DPI requires a different security standard than typical commercial SaaS products. We're not just protecting our business—we're protecting vulnerable populations, government systems, and critical health and humanitarian operations.

As the DPG ecosystem matures, we need to normalize comprehensive security practices that extend beyond code audits and compliance frameworks. UNICC’s entry into the Digital Public Goods Alliance creates a real opportunity to establish shared standards, and we’re committed to being a part of that conversation.

For organizations building and deploying DPI, security-conscious culture isn’t a differentiator, it is the baseline.

Ready to build secure, scalable workflow automation for your organization? Sign up free at app.openfn.org or join our weekly calls to learn how OpenFn's security-first approach protects your critical service automations.