Security Chaos Engineering

Transcript

1. Security Chaos Engineering Injecting Failures for mitigating vulnerabilities

2. Nice to meet you YURY NIÑO DevOps Engineer and Chaos

   Engineer Advocate Loves building software applications, solving resilience issues and teaching. Passionate about reading, writing and cycling.

3. If you know the enemy and know yourself, you need

   not fear the result of a hundred battles … The Art of War. Sun Tzu

4. Agenda * What is CyberSecurity? * The Cause is the

   Human Error: FALSE * The Cloud is Insecure :O :O * Cloud Security Patterns * Chaos Engineering * DevSecOps & Chaos Tools

5. How many of you have made mistakes in production?

6. Unfortunately, when it comes to Cyber Security, that’s also kind

   of the problem. The Human factors in cyber security are perhaps the biggest challenge when building an effective threat prevention strategy. Aaron Rinehart. Human Factor in Cyber Security.

7. What is Cyber Security?

8. Cybersecurity is the practice of protecting systems, networks, and programs

   from digital attacks. These attacks are usually aimed at: • Accessing • Changing • Destroying sensitive information
9. None

10. Why do we need security in the systems today?

11. Because the World is Insecure and Chaotic! Cyberattacks can take

    our systems down and keep them down for a long time.
12. None
13. None
14. None
15. None

16. Microservices Vulnerabilities • Operational complexity. • Hard mapping traffic flows.

    • Polyglot programming problem. • Lack of activity logging strategy. Netflix Microservices Visualization Taken from Medium

17. Cloud Vulnerabilities • Data breaches. • Weak identity and accesses.

    • Insecure interfaces and APIs. • Account hijacking. • Data loss. • Abuse use of cloud services. • Shared technology issues.

18. Containers Vulnerabilities • Kernel exploit. • Denial of service attacks.

    • Container breakouts. • Untrusted registries and images.

19. Challenges in Cloud Availability Data Management Design & Implementation Messaging

    Management & Monitoring Performance & Scalability Security Resilience
20. None
21. None

22. Human Error is the Symptom NO the Cause!

23. What is Security Chaos Engineering?

24. Chaos Engineering It is deliberately inducing stress or fault into

    software and/or hardware as a way of learning/verifying things about systems on production. https://www.gremlin.com

25. Security Chaos Engineering takes the Chaos Engineering principles forward into

    the domain of security. Security practices aren’t fit for purpose! Amrata Joshii

26. More Chaos Security Engineering We deliberately introduce false positives into

    production networks and other infrastructure — build-time dependencies, for example — to check whether procedures in place are capable of identifying security failures under controlled conditions. www.thoughtworks.com

27. More Chaos Security Engineering www.thoughtworks.com

28. None

29. Who should to practice Security Chaos Engineering?

30. Come on! We are Devs and DevOps! Hire a security

    guy ...

31. What is SecDevOps, DevSecOps, DevOpsSec or whatever you call it?

32. Dev[Sec]Ops is... empowered engineering teams taking ownership of how their

    product performs in production [including security chaos engineering] Taken from DevOpsSec by Jim Bird
33. None

34. Chaos Tooling • Automate security audits. • Detect security flaws.

    • Regularly break the build. • Have accurate audit report results. • Use real-time protection. • Focus on instrumentation.
35. None
36. None
37. None
38. None

39. How to begin ... https://www.gremlin.com https://chaosengineering.slack.com https://github.com/dastergon/awesome -chaos-engineering https://www.infoq.com/chaos-engineeri ng

    @yurynino