Security Chaos Engineering

Book description

Information security is broken. Users and customers continually entrust companies with vital information, and companies continually fail to maintain that trust. Year after year, the same attacks are successful. But the impact has become greater. Those who build, operate, and defend systems need to acknowledge that failure will happen. People will click on the wrong thing. The security implications of code changes won't be clear. Things will break.

In this report, Aaron Rinehart and Kelly Shortridge explain how engineers can navigate security in this new frontier. You'll learn the guiding principles of security chaos engineering for harnessing experimentation and failure as tools for empowerment--and you'll understand how to transform security from a gatekeeper to a valued advisor. Case studies from Capital One and Cardinal Health are included.

  • Apply chaos engineering and resilience engineering to securely deliver software and services
  • Transform security into an innovative and collaborative engine for enhancing operational speed and stability
  • Anticipate and identify security failure before it turns into an incident, outage, or breach
  • Harness failure to continuously improve your security strategy
  • Learn your systems' ability to handle security-relevant failures such as system exploitation and server failures
  • Apply a series of controlled experiments in engineering testing processes

Table of contents

  1. The Case for Security Chaos Engineering
    1. The Greatest Teacher
  2. 1. Experimenting with Failure
    1. The Foundation of Resilience
    2. Things Will Fail
    3. Benefits of SCE
  3. 2. Decision Trees—Making Attacker Math Work for You
    1. Decision Trees for Threat Modeling
      1. Decision Tree Walkthrough: S3 Bucket with Customer Data
      2. Outthinking Your Adversaries
      3. Getting Started on Your Own Decision Tree
      4. Incident Retrospectives
  4. 3. SCE versus Security Theater—Getting Drama out of Security
    1. Security Theater
    2. Security Approval Patterns
  5. 4. Democratizing Security
    1. What Is Alternative Analysis?
    2. Distributed Alternative Analysis
    3. The Security Champions Program
  6. 5. Build Security in SCE
    1. Failure in the Build Phase
    2. Application Security Failures in Containers and Image Repositories
    3. Security Failures in Build Pipelines
  7. 6. Production Security in SCE
    1. The DIE Triad
    2. Failure in Production Systems
    3. System Failures in Production
  8. 7. The Journey into SCE
    1. Validate Known Assumptions
    2. Crafting Security Chaos Experiments
    3. Experiment Design Process
      1. Document Steady State
      2. Design Hypothesis
      3. Contain the Blast Radius
      4. Fallback Plans
      5. Notify the Organization
      6. Plan Your Game Days and Execute the Experiment
      7. Measure the Impact of Each Failure!
      8. Validate the Feedback Expected from Your Security and Visibility Tools
      9. Automate the Experiment for Continual Use
    4. Game Days
    5. Use Case: Security Architecture
    6. Use Case: Security Monitoring
      1. Gaining New Insights with SCE
    7. Use Case: Incident Response
    8. SCE Tools: ChaoSlingr
    9. SCE Tools: CloudStrike
  9. 8. Case Studies
    1. Case Study: Applied Security—Cardinal Health
      1. Building the SCE Culture
      2. The Mission of Applied Security
      3. The Method: Continuous Verification and Validation
    2. Case Study: Cyber Chaos Engineering—Capital One
      1. Enter SCE
      2. Leadership Buy-In
  10. Conclusion
  11. Acknowledgments
  12. About the Authors

Product information

  • Title: Security Chaos Engineering
  • Author(s): Aaron Rinehart, Kelly Shortridge
  • Release date: December 2020
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9781492080343