Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Chaos Engineering

Yury Nino
September 14, 2019

Security Chaos Engineering

Yury Nino

September 14, 2019
Tweet

More Decks by Yury Nino

Other Decks in Technology

Transcript

  1. Nice to meet you YURY NIÑO DevOps Engineer and Chaos

    Engineer Advocate Loves building software applications, solving resilience issues and teaching. Passionate about reading, writing and cycling.
  2. If you know the enemy and know yourself, you need

    not fear the result of a hundred battles … The Art of War. Sun Tzu
  3. Agenda * What is CyberSecurity? * The Cause is the

    Human Error: FALSE * The Cloud is Insecure :O :O * Cloud Security Patterns * Chaos Engineering * DevSecOps & Chaos Tools
  4. Unfortunately, when it comes to Cyber Security, that’s also kind

    of the problem. The Human factors in cyber security are perhaps the biggest challenge when building an effective threat prevention strategy. Aaron Rinehart. Human Factor in Cyber Security.
  5. Cybersecurity is the practice of protecting systems, networks, and programs

    from digital attacks. These attacks are usually aimed at: • Accessing • Changing • Destroying sensitive information
  6. Because the World is Insecure and Chaotic! Cyberattacks can take

    our systems down and keep them down for a long time.
  7. Microservices Vulnerabilities • Operational complexity. • Hard mapping traffic flows.

    • Polyglot programming problem. • Lack of activity logging strategy. Netflix Microservices Visualization Taken from Medium
  8. Cloud Vulnerabilities • Data breaches. • Weak identity and accesses.

    • Insecure interfaces and APIs. • Account hijacking. • Data loss. • Abuse use of cloud services. • Shared technology issues.
  9. Containers Vulnerabilities • Kernel exploit. • Denial of service attacks.

    • Container breakouts. • Untrusted registries and images.
  10. Challenges in Cloud Availability Data Management Design & Implementation Messaging

    Management & Monitoring Performance & Scalability Security Resilience
  11. Chaos Engineering It is deliberately inducing stress or fault into

    software and/or hardware as a way of learning/verifying things about systems on production. https://www.gremlin.com
  12. Security Chaos Engineering takes the Chaos Engineering principles forward into

    the domain of security. Security practices aren’t fit for purpose! Amrata Joshii
  13. More Chaos Security Engineering We deliberately introduce false positives into

    production networks and other infrastructure — build-time dependencies, for example — to check whether procedures in place are capable of identifying security failures under controlled conditions. www.thoughtworks.com
  14. Dev[Sec]Ops is... empowered engineering teams taking ownership of how their

    product performs in production [including security chaos engineering] Taken from DevOpsSec by Jim Bird
  15. Chaos Tooling • Automate security audits. • Detect security flaws.

    • Regularly break the build. • Have accurate audit report results. • Use real-time protection. • Focus on instrumentation.