EP132 Chaos Engineering for Security: How to Improve Software Resilience with Kelly Shortridge
Jul 31, 2023
auto_awesome
Kelly Shortridge, Senior Principal Engineer at Fastly, discusses the concept of Security Chaos Engineering and its intersection with cloud security. She talks about how chaos engineering can improve software resilience and security alerting. Kelly shares her favorite chaos engineering experiment and how it can break organizations out of their 1990s thinking. The podcast also explores the importance of understanding threat models, iterative approaches to software resilience, and learning from failures.
Security chaos engineering promotes software resilience and adaptive security strategies.
Implementing software resilience involves iterative development, validation of assumptions, and continuous learning.
Deep dives
Software Resilience and the Principles of Chaos Engineering
Software resilience and the principles of chaos engineering form the foundation for a more modern and effective approach to security. Security chaos engineering is all about building software systems that can gracefully recover from failure and adapt to changing conditions. It draws on lessons learned from various domains and emphasizes the importance of adaptation and resilience. By adopting software resilience practices, organizations can transform their security mindset from a reactive 'department of no' approach to a more proactive and modern strategy.
Embracing the Iterative Approach
Implementing software resilience and chaos engineering is not about achieving perfection from day one, but rather about embracing an iterative approach to development. Starting with an evaluation of existing systems, including flow and architecture diagrams, organizations can identify the assumptions and areas of improvement. Through decision tree exercises and small-scale experiments, security teams can validate their assumptions and refine their strategies over time. Progress, adaptability, and continuous learning form the core of this approach.
Practical Tips for Software Resilience
There are various practical strategies and tactics that can help organizations improve their software resilience. One recommendation is to explore the use of type systems and static typing to encode intentions and enhance code reliability. Other suggestions include considering memory safety, utilizing immutable infrastructure, and adopting security by design principles. These approaches focus on making infrastructure and coding choices that promote resilience and reduce vulnerabilities.
Recommended Reading
In addition to Kelly Shortridge's book 'Software Resilience: Start with Security Chaos Engineering', recommended reading includes 'Cybersecurity Myths' by Jean-Sebastien Baffert and Josiah Dykstra, which aims to debunk common misconceptions in the security industry. 'Designing Data-Intensive Applications' by Martin Kleppmann offers insights into the inner workings of data-driven systems. 'Normal Accidents' by Charles Perrow explores resilience and catastrophic system failures in various domains, shedding light on the complexity and trade-offs involved.
Kelly Shortridge, Senior Principal Engineer in the Office of the CTO at Fastly
Topics:
So what is Security Chaos Engineering?
“Chapter 5. Operating and Observing” is Anton’s favorite. One thing that mystifies me, however, is that you outline how to fail with alerts (send too many), but it is not entirely clear how to practically succeed with them? How does chaos engineering help security alerting / detection?
How chaos engineering (or is it really about software resilience?) intersects with Cloud security - is this peanut butter and chocolate or more like peanut butter and pickles?
How can organizations get started with chaos engineering for software resilience and security?
What is your favorite chaos engineering experiment that you have ever done?
We often talk about using the SRE lessons for security, and yet many organizations do security the 1990s way. Are there ways to use chaos engineering as a forcing function to break people out of their 1990s thinking and time warp them to 2023?