Security Chaos Engineering: Sustaining Resilience in Software and Systems by Kelly Shortridge and Aaron Rinehart.
Kelly holds a BA in Economics from Vassar College. She previously serving as Vice President of Security Strategy at Capsule8 (acquired by Google Cloud) and management roles at SecurityScorecard. She co-founded IperLane, a security startup acquired by CrowdStrike. Today Kelly is a Senior Principal in the Office of the CTO at Fastly. She is a frequent speaker at major conferences like Black Hat, RSA, and O’Reilly Velocity.
Aaron holds a BA in Economics from the University of Missouri. He was the Co-founder and CTO of Verica (a chaos engineering startup) and a Distinguished Engineer at Capital One. He is widely recognized as a pioneer in applying chaos engineering specifically to the security domain. A former Chief Security Architect at UnitedHealth Group (UHG), Aaron led the release of ChaoSlingr, an early open-source security chaos engineering tool. He is a frequent keynote speaker at the National Press Club, RSA, and DEF CON.
Both share that traditional security relies on the “fortress” mentality, building thicker walls to keep attackers out. However they state that modern, complex, distributed systems failure is not possible, it’s actually inevitable. So, don’t let the inevitable system failures stall organizational progress. By adopting Security Chaos Engineering, you certainly build the ‘immune system’ your software needs to withstand adverse events, ensuring your business goals and engineering velocity remain on track even under pressure.”
Its all about the power of Regex
So enter Security Chaos Engineering (SCE), a discipline of performing pro-active, controlled experiments to discover systemic weaknesses before your adversaries can exploit them. Why wait for a cyber event when you can “inject” conditions to verify that your security controls actually work. Kelly and Aaron outline Five Capabilities of Resilience:
- Absorption: The ability to take a hit without failing (e.g., rate limiting).
- Adaptability: Capacity to change behavior based on new information.
- Restorability: How quickly a system returns to a known, secure state.
- Observability: Ability to understand the internal state of a system from its external outputs.
- Learnability: An organization’s ability to turn failures into institutional knowledge.
As we continue moving to modern platform engineering and DevSecOps, the legacy “siloed” approach to security is certainly falling behind. In fact, Kelly and Aaron reveal a vocabulary and the methodology to integrate security into your organization’s engineering lifecycle.
In conclusion, Security Chaos Engineering is particularly critical of “security theater” the tools and processes that provide a false sense of safety but fail when actual cyber attacks develop. Embrace chaos and organizations can stand up systems that are certainly secure but also robust and is actually antifragile. Organizations can move from a fear-based security to a very mature confidence-based engineering.