DevSecOps & Chaos Engineering: Knowing the Unknown
Engineered chaos – is that an oxymoron? Not really. By creating chaos in your software development environments you help build more stable and secure systems. Why is this valuable and how can you do it?
Aaron Rinehart (@aaronrinehart) dives into what chaos engineering is, why you need it, and how you can implement it in your organization.
As co-founder of the Chaos Engineering Meetup in Washington, D.C. and Chief Security Architect for UnitedHealth Group, one of the largest companies in the U.S., he spoke about chaos engineering at last year’s All Day DevOps conference.
Aaron doesn’t work for some crazy little startup who can afford to experiment in something called “chaos.” UnitedHealth Group has 28,000 developers, 8,000 applications, and, being a health insurance company, is highly regulated. They use DevOps, waterfall, Agile, and other methodologies.
First, the why. According to a recent study, 48% of security breaches are due to a malicious or criminal attack. The other 52% are human error or system glitch. We can kind-of control that 52%. Aaron suggests that if we focus our security efforts on the 52%, the 48% won’t be possible.
For security breaches, we don’t know very much about what is going to happen. Where? Why? Who? How? What? We generally find out after a security incident happens. Too little, too late. Part of our problem, Aaron contends, is that we spend too much time reacting to the outages instead of building more resilient systems.
Aarons suggests, “We can use chaos engineering to drive objectivity in a subjective world.”
Write that down. What does it mean? It means so much of security planning is subjective because you don’t know the when, where, how, etc. You are guessing where the unknown vulnerabilities are in your live system, (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Derek Weeks. Read the original post at: https://blog.sonatype.com/devsecops-chaos-engineering
