Tweet
Tweet

Slide 1

Slide 1 text

Security Chaos Engineering Injecting Failures for mitigating vulnerabilities

Slide 2

Slide 2 text

Nice to meet you YURY NIÑO DevOps Engineer and Chaos Engineer Advocate Loves building software applications, solving resilience issues and teaching. Passionate about reading, writing and cycling.

Slide 3

Slide 3 text

If you know the enemy and know yourself, you need not fear the result of a hundred battles … The Art of War. Sun Tzu

Slide 4

Slide 4 text

Agenda * What is CyberSecurity? * The Cause is the Human Error: FALSE * The Cloud is Insecure :O :O * Cloud Security Patterns * Chaos Engineering * DevSecOps & Chaos Tools

Slide 5

Slide 5 text

How many of you have made mistakes in production?

Slide 6

Slide 6 text

Unfortunately, when it comes to Cyber Security, that’s also kind of the problem. The Human factors in cyber security are perhaps the biggest challenge when building an effective threat prevention strategy. Aaron Rinehart. Human Factor in Cyber Security.

Slide 7

Slide 7 text

What is Cyber Security?

Slide 8

Slide 8 text

Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These attacks are usually aimed at: ● Accessing ● Changing ● Destroying sensitive information

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

Why do we need security in the systems today?

Slide 11

Slide 11 text

Because the World is Insecure and Chaotic! Cyberattacks can take our systems down and keep them down for a long time.

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

Microservices Vulnerabilities ● Operational complexity. ● Hard mapping traffic flows. ● Polyglot programming problem. ● Lack of activity logging strategy. Netflix Microservices Visualization Taken from Medium

Slide 17

Slide 17 text

Cloud Vulnerabilities ● Data breaches. ● Weak identity and accesses. ● Insecure interfaces and APIs. ● Account hijacking. ● Data loss. ● Abuse use of cloud services. ● Shared technology issues.

Slide 18

Slide 18 text

Containers Vulnerabilities ● Kernel exploit. ● Denial of service attacks. ● Container breakouts. ● Untrusted registries and images.

Slide 19

Slide 19 text

Challenges in Cloud Availability Data Management Design & Implementation Messaging Management & Monitoring Performance & Scalability Security Resilience

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

Human Error is the Symptom NO the Cause!

Slide 23

Slide 23 text

What is Security Chaos Engineering?

Slide 24

Slide 24 text

Chaos Engineering It is deliberately inducing stress or fault into software and/or hardware as a way of learning/verifying things about systems on production. https://www.gremlin.com

Slide 25

Slide 25 text

Security Chaos Engineering takes the Chaos Engineering principles forward into the domain of security. Security practices aren’t fit for purpose! Amrata Joshii

Slide 26

Slide 26 text

More Chaos Security Engineering We deliberately introduce false positives into production networks and other infrastructure — build-time dependencies, for example — to check whether procedures in place are capable of identifying security failures under controlled conditions. www.thoughtworks.com

Slide 27

Slide 27 text

More Chaos Security Engineering www.thoughtworks.com

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

Who should to practice Security Chaos Engineering?

Slide 30

Slide 30 text

Come on! We are Devs and DevOps! Hire a security guy ...

Slide 31

Slide 31 text

What is SecDevOps, DevSecOps, DevOpsSec or whatever you call it?

Slide 32

Slide 32 text

Dev[Sec]Ops is... empowered engineering teams taking ownership of how their product performs in production [including security chaos engineering] Taken from DevOpsSec by Jim Bird

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

Chaos Tooling ● Automate security audits. ● Detect security flaws. ● Regularly break the build. ● Have accurate audit report results. ● Use real-time protection. ● Focus on instrumentation.

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

No content

Slide 38

Slide 38 text

No content

Slide 39

Slide 39 text

How to begin ... https://www.gremlin.com https://chaosengineering.slack.com https://github.com/dastergon/awesome -chaos-engineering https://www.infoq.com/chaos-engineeri ng @yurynino