SlideShare a Scribd company logo

Pivotal APJ Security Chaos Engineering

Aaron Rinehart
Aaron Rinehart

This document provides an overview of a session on security chaos engineering. The session will cover combating complexity in software, chaos engineering, resilience engineering and security, security chaos engineering, open source chaos tools, and a product demo from Verica. The presenters from Verica will be Casey Rosenthal, CEO and founder, and Aaron Rinehart, CTO and founder. Casey Rosenthal helped create the discipline of chaos engineering at Netflix and built their chaos automation platform. Aaron Rinehart has experience leading security engineering strategies and pioneered the area of security chaos engineering. Chaos engineering involves experimenting on distributed systems to build confidence in their ability to withstand turbulent conditions. It is used to combat the increasing complexity

Software
1 of 123
Download to read offline
@aaronrinehart @verica_io #chaosengineering Security Chaos Engineering
@aaronrinehart @verica_io #chaosengineering Thank you to our Sponsors Jerome Walter CISO APJ, Pivotal Software Shaun Norris Field CIO Pivotal Software
In this Session we will cover
@aaronrinehart @verica_io #chaosengineering ● Combating Complexity in Software ● Chaos Engineering ● Resilience Engineering & Security ● Security Chaos Engineering ● Open Source Chaos Tools ● Verica Chaos Product Demo Agenda
5 @aaronrinehart @verica_io #chaosengineering Casey Rosenthal, CEO, Founder ● Built and managed High Performance teams (including Chaos Engineering Team) at Netflix ● Known for creating the discipline of Chaos Engineering ● Built the Chaos Automation Platform (ChAP) at Netflix, the most sophisticated implementation of advanced chaos experimentation ● Written multiple books on Chaos Engineering (O’Reilly) Verica Team
6 Aaron Rinehart, CTO, Founder ● Former Chief Security Architect @UnitedHealth responsible for security engineering strategy ● Led the DevOps and Open Source Transformation at UnitedHealth Group ● Former (DOD, NASA, DHS, CollegeBoard ) ● Frequent speaker and author on Chaos Engineering & Security ● Pioneer behind Security Chaos Engineering ● Led ChaoSlingr team at UnitedHealth @aaronrinehart @verica_io #chaosengineering Verica Team
Incidents,Outages, & Breaches are Costly
The Obvious Problem
Why do they seem to be happening more often?
@aaronrinehart @verica_io #chaosengineering Combating Complexity in Software
“The growth of complexity in society has got ahead of our understanding of how complex systems work and fail” -Sydney Dekker
Our systems have evolved beyond human ability to mentally model their behavior. 12
Our systems have evolved beyond human ability to mentally model their behavior. 13 everyone else
Circuit Breaker Patterns Continuous Delivery Distributed Systems Blue/Green Deployments Cloud Computing Service Mesh Containers Immutable Infrastructur e Infracod e Continuous Integration Microservice Architectures API Auto Canaries CI/CD DevOps Automation Pipelines Complex?
Mostly Monolithic Requires Domain Knowledge Prevention focused Poorly Aligned Defense in Depth Stateful in nature DevSecOps not widely adopted Security? Expert Systems Adversary Focused
Simplify?
Software has officially taken over
Software Only Increases in Complexity
Accidental Essential Software Complexity
“As the complexity of a system increases, the accuracy of any single agent’s own model of that system decreases” - Dr. David Woods Woods Theorem:
What about my systems?
How well do you really understand how your system works?
Systems Engineering is Messy In Reality…….
System Mental Models
In the beginning...we think it looks like
After a few months…. Hard Coded Passwords Identity Conflicts Lead Software Engineering finds a new job at Google New Security Tool Refactor Pricing 300 Microservices Δ-> 850 Microservices Cloud Provider API Outage WAF Outage -> DisabledScalability Issues Network is Unreliable Autoscaling Keeps Breaking Large Customer Outage Delayed Features DNS Resolution ErrorsExpired Certificate Regulatory Audit Rolling Sev1 Outage on Portal Code Freeze
Years?…. Hard Coded Passwords Identity Conflicts Lead Software Engineering finds a new job at Google New Security Tool Refactor Pricing 300 Microservices Δ-> 4000 Microservices Cloud Provider API Outage Firewall Outage -> Disabled Scalability Issues Network is Unreliable Autoscaling Keeps Breaking Large Customer Outage Delayed Features DNS Resolution Errors Expired Certificate Regulatory Audit Rolling Sev1 Outages on Portal Code Freeze Hard Coded Passwords Identity Conflicts Lead Software Engineering finds a new job at Google New Security Tool Refactor Pricing 300 Microservices Δ-> 850 Microservices Cloud Provider API Outage WAF Outage -> DisabledScalability Issues Network is Unreliable Autoscaling Keeps Breaking Large CustomerDelayed Features DNS Resolution ErrorsExpired Certificate Regulatory Audit Rolling Sev1 Outage on Portal Merger with competitor Misconfigured FW Rule Outage Database Outage Portal Retry Storm Outage Orphaned Documentation Corporate Reorg Budget Freeze Outsource overseas development Exposed Secrets on GithuCode Freeze b Migration to New CSP Upgrade to Java SE 12
Our systems become more complex and messy than we remember them
Difficult to Mentally Model
Avoid Running in the Dark @aaronrinehart @verica_io #chaosengineering
So what does all of this $&%* have to do with Security?
Failure Happens Alot
The Normal Condition is to FAIL
We need failure to Learn & Grow 35
“things that have never happened before happen all the time” –Scott Sagan “The Limits of Safety”
What happens when our Security fails?
How do we typically discover when our security measures fail?
Security Incidents Typically we dont find out our security is failing until there is an security incident.
Vanishing Traces All we typically ever see is the Footsteps in the Sand -Allspaw Logs, Stack Traces, Alerts
Security incidents are not effective measures of detection because at that point it's already too late
What typically causes our security to fail?
2018 Causes of Data Breaches
2018 Causes of Data Breaches
2018 Causes of Data Breaches
2018 Causes of Data Breaches
‘Human-Error’, Root Cause, & Blame Culture
No System is inherently Secure by Default, its Humans that make them that way.
People Operate Differently when they expect things to fail
@aaronrinehart @verica_io #chaosengineering Chaos Engineering
“Chaos Engineering is the discipline of experimenting on a distributed system in order to build confidence in the system’s ability to withstand turbulent conditions” Chaos Engineering
Who is doing Chaos?
“[Chaos Engineering is] empirical rather than formal. We don’t use models to understand what the system should do. We run experiments to learn what it does.” - Michael T. Nygard
Use Chaos to Establish Order
Testing vs. Experimentation
● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable Properties of a Chaos Experiment Game Days allow you to perform experiments with maximum visibility and coverage from component owners, support teams and product. ● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable
Developing a Learning Culture around Failure ● Safety as part of security ● Building safety margin into systems ● Replace blame culture with learning culture ● Telemetry, experimentation, and instrumentation
● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable Chaos Engineering Maturity Despite what has been popularized on online tech blogs you do not start off performing Chaos Engineering on live production systems. There is a maturity ramp to getting there. ● Validate Chaos Tools in Lower Environment ● Develop Competency & Confidence in Tooling ● Dry-run experiments Warning: Still be careful in Non-Prod environments as you will be surprised what hazards lie in Non-Prod. (Kafka Story)
● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable Chaos Monkey Story ● During Business Hours ● Born out of Netflix Cloud Transformation ● Put well defined problems in front of engineers. ● Terminate VMs on Random VPC Instances
● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable Chaos Engineering Pro-Tips ● Don’t perform an experiment when you expect it to fail ● Auto Remediation of Experiments will end in a fiery Hell! ● Transparency is a Must ● Webcast & Record GameDays ● The process of creating the experiment and sharing the learnings is the highest-value of Chaos Engineering ● Chaos Engineering Goal: Share Team Mental Models is of High Importance Reference: Nora Jones 8 Traps of Chaos Engineering
● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable Chaos Pitfalls: Auto-Remediation “…an operator will only be able to generate successful new strategies for unusual situations if he has an adequate knowledge of the process.” “ Long term knowledge develops only through use and feedback about its effectiveness.” — Lisanne Bainbridge, The Ironies of Automation (1983) Bring context or chase down vulnerabilities for the service owner instead of automating fixes as this leads to a Fiery Hell! Reference: Nora Jones 8 Traps of Chaos Engineering
● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable Chaos Pitfalls:Breaking things on Purpose “I'm pretty sure I won’t have a job very long if I break things on purpose all day.” -Casey Rosenthal The purpose of Chaos Engineering is NOT to “Break Things on Purpose”. If anything we are trying to “Fix them on Purpose”! Reference: Nora Jones 8 Traps of Chaos Engineering
● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable Chaos Engineering Operational Models ● Organization-Wide Chaos Engineering Team ● Provide a Chaos Engineering Solution for Teams to Consume ● CentralTeam runs periodic Chaos Experiments as a Service ● Provide SREs with Chaos Toolsets “At Netflix Chaos Engineering was always meant to be a tools practice for SREs” - Casey Rosenthal
● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable GameDay Exercises ● 2-4 hrs in Length ● Diverse Cross Functional Group of Engineers ● Focused on Increasing Resilience ● Used for Manual Chaos Engineering ● Great Introduction to Chaos Engineering Recommendations ● Use GameDays for New Chaos Experiments ● Use GameDays for Initial Experiment Deployment on New Targets ● Use GameDays for Proving New Chaos Engineering Tools ● Get Everyone in the Same Location
● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable Experiment Lifecycle 1 Perform a GameDay Exercise Plan, Schedule, and Run a GameDay Exercise for New Experiments Validate Experiment Hypothesis Goal: Validate experiment ran successfully and that the results are credible. 2 Remediate Findings & Repeat Experiment If hypothesis failed for the experiment. Develop and remediate list of findings. Once remediated, repeat experiment 3 Once Successful: Automate Experiment Once the experiment has been proved to run successfully validating your hypothesis you can now automate the experiment runs periodically.. 4
GameDays: The Basics Plan & Organize GameDay Exercise Execute Live GameDay Operations Automate & Evangelize Results & Take Action Chaos Experiment Develop & Evaluate Conduct Pre-Incident Review
@aaronrinehart @verica_io #chaosengineering Security Chaos Engineering
“The discipline of instrumentation, identification, and remediation of failure within security controls through proactive experimentation to build confidence in the system's ability to defend against malicious conditions in production.” Security Chaos Engineering is...
Continuous Security Verification
Proactively Manage & Measure
Reduce Uncertainty by Building Confidence
Build Confidence in What Actually Works
● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable Security Chaos Engineering: Is NOT ● Red Teaming ● Penetration Testing ● Adversary Based ● Focused on Attacks ● The process of creating the experiment and sharing the learnings is the highest-value of Chaos Engineering ● Chaos Engineering Goal: Share Team Mental Models is of High Importance
@aaronrinehart @verica_io #chaosengineering Security Chaos Engineering Use Cases
@aaronrinehart @verica_io #chaosengineering ● Incident Response ● Solutions Architecture ● Security Control Validation ● Security Observability ● Continuous Verification ● Compliance Monitoring Use Cases
Incident Response
● Validate Runbooks ● Measure Team Skills ● Determine Control Effectiveness ● Learn new insights ● Transfer knowledge ● Build a learning culture “Security Chaos Engineering provides a new doorway for security value but what I like about it most is that it keeps the incident response team sharp.” - CISO, Fortune 5 Healthcare Company Applications
Security Incidents are Subjective in Nature
We really don't know Where? Why? Who? What?How? very much
“Response” is the problem with Incident Response
Lets face it, when outages happen….. Teams spend too much time reacting to outages instead of building more resilient systems.
Post Mortem = Preparation Lets Flip the Model
Solution Architecture “More men(people) die from their remedies not their illnesses” - Jean-Baptiste Poquelin
89 Solutions Architecture needs reinvention “Dont bring a pattern to a gunfight” - Robert Duhart Ivory Tower Architecture
90 Incidents and breaches are hugely significant in creating change post facto. They tend to shape the designs and architecture of tomorrow's solutions -@allspaw Incidents Drive Design Changes
Security Control Validation
Stop looking for better answers and start asking better questions. - John Allspaw
What is the system actually doing? Has it done this before? Why is it behaving that way? What is it supposed to do next? How did it get into this state?
How does My Security Really Work?
What evidence do I have to prove it?
Cloud Security Readiness ● Verify Saas Security Controls ● Verify Cloud Native Controls ● Verify Security Configuration
Security Observability Monitoring Logging Tracing Visualization
Security Log Pipelines Monitoring Logging Tracing Visualization
Improve Value of Security Log Data ● How valuable is your log data? ● When do we ever assess this? ● We dont know our logs are shit until we absolutely need them ● Proactively determine quality of log data around experiments
Verify Detection of Disabled Log Services “Security log pipelines are essential to the success of an information security program.” -Prima Virani, Pinterest Security
Continuous Verification
Create Objective Feedback Loops about Security Effectiveness
More Experiment Examples ● Internet exposed Kubernetes API ● Unauthorized Bad Container Repo ● Unencrypted S3 Bucket ● Disable MFA ● Bad AWS Automated Block Rule ● Software Secret Clear Text Disclosure ● Permission collision in Shared IAM Role Policy ● Disabled Service Event Logging ● Introduce Latency on Security Controls ● API Gateway Shutdown
Compliance Monitoring in Distributed Systems
Navigating Risk in Software
How does Security Chaos Engineering differ from Red Teaming, Purple Teaming or Pen Testing? Security Crayons
● Distributed Systems Focus ● Goal: Experimentation ● Human Factors focused ● Small Isolated Scope ● Focus on Cascading Events ● Performed by Mixed Engineering Teams in Gameday ● During business hours Differences in Scope, Focus, and Method
@aaronrinehart @verica_io #chaosengineering Challenges in Adopting Chaos Engineering
109 Cultural Shift
Culture is the most important aspect to devops succeeding in the enterprise Patrick Debois, Creator of DevOps
111 Making the Case for Chaos
112 Chaos ROI ● Metrics & Measurements ● Business Outcome-Based KPIs before Engineering Metrics ● Do not make the Case for the Outage that Never Happenned
@aaronrinehart @verica_io #chaosengineering Chaos Open Source Tools
114 OSS ChaosTools Important Considerations
A PCh AControl AExperiment
119 An Open Source Tool
• ChatOps Integration • Configuration-as-Code • Example Code & Open Framework ChaoSlingr Product Features • Serverless App in AWS • 100% Native AWS • Configurable Operational Mode & Frequency • Opt-In | Opt-Out Model
Hypothesis: If someone accidentally or maliciously introduced a misconfigured port then we would immediately detect, block, and alert on the event. Alert SOC? Config Mgmt? Misconfigured Port Injection IR Triage Log data? Wait... Firewall?
Result: Hypothesis disproved. Firewall did not detect or block the change on all instances. Standard Port AAA security policy out of sync on the Portal Team instances. Port change did not trigger an alert and log data indicated successful change audit. However we unexpectedly learned the configuration mgmt tool caught change and alerted the SoC. Alert SOC? Config Mgmt? Misconfigured Port Injection IR Triage Log data? Wait... Firewall?
Transforming how the world builds software © Copyright 2019 Pivotal Software, Inc. All rights Reserved.

Recommended

DevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringDevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringAaron Rinehart
 
GDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringGDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringAaron Rinehart
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering Aaron Rinehart
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionAaron Rinehart
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingAaron Rinehart
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...Aaron Rinehart
 
OWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos EngineeringOWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos EngineeringAaron Rinehart
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringAaron Rinehart
 

Recommended

DevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringDevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringAaron Rinehart
 
GDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringGDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringAaron Rinehart
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering Aaron Rinehart
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionAaron Rinehart
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingAaron Rinehart
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...Aaron Rinehart
 
OWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos EngineeringOWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos EngineeringAaron Rinehart
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringAaron Rinehart
 
AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 Aaron Rinehart
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native securityKennedy
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)DJ Schleen
 
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos EngineeringRSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos EngineeringAaron Rinehart
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
 
AllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAaron Rinehart
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...Aaron Rinehart
 
A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREJames Wickett
 
Using security to drive chaos engineering
Using security to drive chaos engineeringUsing security to drive chaos engineering
Using security to drive chaos engineeringDinis Cruz
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionKeet Sugathadasa
 
Nick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityNick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityDevSecCon
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsSeniorStoryteller
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack ModelsSeniorStoryteller
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOpsSeniorStoryteller
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...Adrian Sanabria
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingPriyanka Aash
 
ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020 ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020 Aaron Rinehart
 
Chaos Engineering: Injecting Failure for Building Resilience in Systems
Chaos Engineering: Injecting Failure for Building Resilience in SystemsChaos Engineering: Injecting Failure for Building Resilience in Systems
Chaos Engineering: Injecting Failure for Building Resilience in SystemsYury Roa
 

More Related Content

What's hot

AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 Aaron Rinehart
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native securityKennedy
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)DJ Schleen
 
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos EngineeringRSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos EngineeringAaron Rinehart
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
 
AllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAaron Rinehart
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...Aaron Rinehart
 
A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREJames Wickett
 
Using security to drive chaos engineering
Using security to drive chaos engineeringUsing security to drive chaos engineering
Using security to drive chaos engineeringDinis Cruz
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionKeet Sugathadasa
 
Nick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityNick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityDevSecCon
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack ModelsSeniorStoryteller
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...Adrian Sanabria
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingPriyanka Aash
 

What's hot (20)

AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native security
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
 
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos EngineeringRSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
AllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security Differently
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
 
A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SRE
 
Using security to drive chaos engineering
Using security to drive chaos engineeringUsing security to drive chaos engineering
Using security to drive chaos engineering
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in Production
 
Nick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityNick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs security
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security Solutions
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack Models
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOps
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOps
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos Testing
 

Similar to Pivotal APJ Security Chaos Engineering

ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020 ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020 Aaron Rinehart
 
Chaos Engineering: Injecting Failure for Building Resilience in Systems
Chaos Engineering: Injecting Failure for Building Resilience in SystemsChaos Engineering: Injecting Failure for Building Resilience in Systems
Chaos Engineering: Injecting Failure for Building Resilience in SystemsYury Roa
 
Splunk September 2023 User Group PDX.pdf
Splunk September 2023 User Group PDX.pdfSplunk September 2023 User Group PDX.pdf
Splunk September 2023 User Group PDX.pdfAmanda Richardson
 
Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Dinis Cruz
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
Architecting trust in the digital landscape, or lack thereof
Architecting trust in the digital landscape, or lack thereofArchitecting trust in the digital landscape, or lack thereof
Architecting trust in the digital landscape, or lack thereofJonathan Sinclair
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsAlert Logic
 
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019Aaron Rinehart
 
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014Amazon Web Services
 
Technology radar-may-2013
Technology radar-may-2013Technology radar-may-2013
Technology radar-may-2013Carol Bruno
 
Building and Scaling High Performing Technology Organizations by Jez Humble a...
Building and Scaling High Performing Technology Organizations by Jez Humble a...Building and Scaling High Performing Technology Organizations by Jez Humble a...
Building and Scaling High Performing Technology Organizations by Jez Humble a...Agile India
 
Chaos Engineering
Chaos EngineeringChaos Engineering
Chaos EngineeringYury Roa
 
Reducing Technology Risks Through Prototyping
Reducing Technology Risks Through Prototyping Reducing Technology Risks Through Prototyping
Reducing Technology Risks Through Prototyping Valdas Maksimavičius
 
The Complexity to "Yes" in Analytics Software and the Possibilities with Dock...
The Complexity to "Yes" in Analytics Software and the Possibilities with Dock...The Complexity to "Yes" in Analytics Software and the Possibilities with Dock...
The Complexity to "Yes" in Analytics Software and the Possibilities with Dock...Docker, Inc.
 
System Security on Cloud
System Security on CloudSystem Security on Cloud
System Security on CloudTu Pham
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015Daniel Liber
 

Similar to Pivotal APJ Security Chaos Engineering (20)

ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020 ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020
 
Chaos Engineering: Injecting Failure for Building Resilience in Systems
Chaos Engineering: Injecting Failure for Building Resilience in SystemsChaos Engineering: Injecting Failure for Building Resilience in Systems
Chaos Engineering: Injecting Failure for Building Resilience in Systems
 
Introduction to Chaos Engineering
Introduction to Chaos EngineeringIntroduction to Chaos Engineering
Introduction to Chaos Engineering
 
Splunk September 2023 User Group PDX.pdf
Splunk September 2023 User Group PDX.pdfSplunk September 2023 User Group PDX.pdf
Splunk September 2023 User Group PDX.pdf
 
Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Architecting trust in the digital landscape, or lack thereof
Architecting trust in the digital landscape, or lack thereofArchitecting trust in the digital landscape, or lack thereof
Architecting trust in the digital landscape, or lack thereof
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
Unleash The Monkeys
Unleash The MonkeysUnleash The Monkeys
Unleash The Monkeys
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOps
 
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
 
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
 
Technology radar-may-2013
Technology radar-may-2013Technology radar-may-2013
Technology radar-may-2013
 
Chaos is a ladder !
Chaos is a ladder !Chaos is a ladder !
Chaos is a ladder !
 
Building and Scaling High Performing Technology Organizations by Jez Humble a...
Building and Scaling High Performing Technology Organizations by Jez Humble a...Building and Scaling High Performing Technology Organizations by Jez Humble a...
Building and Scaling High Performing Technology Organizations by Jez Humble a...
 
Chaos Engineering
Chaos EngineeringChaos Engineering
Chaos Engineering
 
Reducing Technology Risks Through Prototyping
Reducing Technology Risks Through Prototyping Reducing Technology Risks Through Prototyping
Reducing Technology Risks Through Prototyping
 
The Complexity to "Yes" in Analytics Software and the Possibilities with Dock...
The Complexity to "Yes" in Analytics Software and the Possibilities with Dock...The Complexity to "Yes" in Analytics Software and the Possibilities with Dock...
The Complexity to "Yes" in Analytics Software and the Possibilities with Dock...
 
System Security on Cloud
System Security on CloudSystem Security on Cloud
System Security on Cloud
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015
 

More from Aaron Rinehart

Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...
Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...
Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...Aaron Rinehart
 
Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019Aaron Rinehart
 
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...Aaron Rinehart
 
Does 2018 presentation rinehart - how to train your dragons
Does 2018 presentation rinehart - how to train your dragonsDoes 2018 presentation rinehart - how to train your dragons
Does 2018 presentation rinehart - how to train your dragonsAaron Rinehart
 
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the Unknown
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the UnknownAllDayDevOps : DevSecOps & Chaos Engineering: Knowing the Unknown
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the UnknownAaron Rinehart
 
TestBed-Cyber-Security-Workshops
TestBed-Cyber-Security-WorkshopsTestBed-Cyber-Security-Workshops
TestBed-Cyber-Security-WorkshopsAaron Rinehart
 

More from Aaron Rinehart (6)

Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...
Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...
Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...
 
Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019
 
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
 
Does 2018 presentation rinehart - how to train your dragons
Does 2018 presentation rinehart - how to train your dragonsDoes 2018 presentation rinehart - how to train your dragons
Does 2018 presentation rinehart - how to train your dragons
 
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the Unknown
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the UnknownAllDayDevOps : DevSecOps & Chaos Engineering: Knowing the Unknown
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the Unknown
 
TestBed-Cyber-Security-Workshops
TestBed-Cyber-Security-WorkshopsTestBed-Cyber-Security-Workshops
TestBed-Cyber-Security-Workshops
 

Recently uploaded

Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
What are the features of Vehicle Tracking System?
What are the features of Vehicle Tracking System?What are the features of Vehicle Tracking System?
What are the features of Vehicle Tracking System?Watsoo Telematics
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
buds n tech IT solutions
buds n tech IT solutionsbuds n tech IT solutions
buds n tech IT solutionsmonugehlot87
 

Recently uploaded (20)

Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
What are the features of Vehicle Tracking System?
What are the features of Vehicle Tracking System?What are the features of Vehicle Tracking System?
What are the features of Vehicle Tracking System?
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
buds n tech IT solutions
buds n tech IT solutionsbuds n tech IT solutions
buds n tech IT solutions
 

Pivotal APJ Security Chaos Engineering

  • 2. @aaronrinehart @verica_io #chaosengineering Thank you to our Sponsors Jerome Walter CISO APJ, Pivotal Software Shaun Norris Field CIO Pivotal Software
  • 3. In this Session we will cover
  • 4. @aaronrinehart @verica_io #chaosengineering ● Combating Complexity in Software ● Chaos Engineering ● Resilience Engineering & Security ● Security Chaos Engineering ● Open Source Chaos Tools ● Verica Chaos Product Demo Agenda
  • 5. 5 @aaronrinehart @verica_io #chaosengineering Casey Rosenthal, CEO, Founder ● Built and managed High Performance teams (including Chaos Engineering Team) at Netflix ● Known for creating the discipline of Chaos Engineering ● Built the Chaos Automation Platform (ChAP) at Netflix, the most sophisticated implementation of advanced chaos experimentation ● Written multiple books on Chaos Engineering (O’Reilly) Verica Team
  • 6. 6 Aaron Rinehart, CTO, Founder ● Former Chief Security Architect @UnitedHealth responsible for security engineering strategy ● Led the DevOps and Open Source Transformation at UnitedHealth Group ● Former (DOD, NASA, DHS, CollegeBoard ) ● Frequent speaker and author on Chaos Engineering & Security ● Pioneer behind Security Chaos Engineering ● Led ChaoSlingr team at UnitedHealth @aaronrinehart @verica_io #chaosengineering Verica Team
  • 9. Why do they seem to be happening more often?
  • 11. “The growth of complexity in society has got ahead of our understanding of how complex systems work and fail” -Sydney Dekker
  • 12. Our systems have evolved beyond human ability to mentally model their behavior. 12
  • 13. Our systems have evolved beyond human ability to mentally model their behavior. 13 everyone else
  • 14.
  • 15. Circuit Breaker Patterns Continuous Delivery Distributed Systems Blue/Green Deployments Cloud Computing Service Mesh Containers Immutable Infrastructur e Infracod e Continuous Integration Microservice Architectures API Auto Canaries CI/CD DevOps Automation Pipelines Complex?
  • 16. Mostly Monolithic Requires Domain Knowledge Prevention focused Poorly Aligned Defense in Depth Stateful in nature DevSecOps not widely adopted Security? Expert Systems Adversary Focused
  • 19. Software Only Increases in Complexity
  • 21. “As the complexity of a system increases, the accuracy of any single agent’s own model of that system decreases” - Dr. David Woods Woods Theorem:
  • 22. What about my systems?
  • 23. How well do you really understand how your system works?
  • 27. After a few months…. Hard Coded Passwords Identity Conflicts Lead Software Engineering finds a new job at Google New Security Tool Refactor Pricing 300 Microservices Δ-> 850 Microservices Cloud Provider API Outage WAF Outage -> DisabledScalability Issues Network is Unreliable Autoscaling Keeps Breaking Large Customer Outage Delayed Features DNS Resolution ErrorsExpired Certificate Regulatory Audit Rolling Sev1 Outage on Portal Code Freeze
  • 28. Years?…. Hard Coded Passwords Identity Conflicts Lead Software Engineering finds a new job at Google New Security Tool Refactor Pricing 300 Microservices Δ-> 4000 Microservices Cloud Provider API Outage Firewall Outage -> Disabled Scalability Issues Network is Unreliable Autoscaling Keeps Breaking Large Customer Outage Delayed Features DNS Resolution Errors Expired Certificate Regulatory Audit Rolling Sev1 Outages on Portal Code Freeze Hard Coded Passwords Identity Conflicts Lead Software Engineering finds a new job at Google New Security Tool Refactor Pricing 300 Microservices Δ-> 850 Microservices Cloud Provider API Outage WAF Outage -> DisabledScalability Issues Network is Unreliable Autoscaling Keeps Breaking Large CustomerDelayed Features DNS Resolution ErrorsExpired Certificate Regulatory Audit Rolling Sev1 Outage on Portal Merger with competitor Misconfigured FW Rule Outage Database Outage Portal Retry Storm Outage Orphaned Documentation Corporate Reorg Budget Freeze Outsource overseas development Exposed Secrets on GithuCode Freeze b Migration to New CSP Upgrade to Java SE 12
  • 29. Our systems become more complex and messy than we remember them
  • 31. Avoid Running in the Dark @aaronrinehart @verica_io #chaosengineering
  • 32. So what does all of this $&%* have to do with Security?
  • 35. We need failure to Learn & Grow 35
  • 36. “things that have never happened before happen all the time” –Scott Sagan “The Limits of Safety”
  • 37. What happens when our Security fails?
  • 38. How do we typically discover when our security measures fail?
  • 39. Security Incidents Typically we dont find out our security is failing until there is an security incident.
  • 40. Vanishing Traces All we typically ever see is the Footsteps in the Sand -Allspaw Logs, Stack Traces, Alerts
  • 41. Security incidents are not effective measures of detection because at that point it's already too late
  • 42. What typically causes our security to fail?
  • 43. 2018 Causes of Data Breaches
  • 44. 2018 Causes of Data Breaches
  • 45. 2018 Causes of Data Breaches
  • 46. 2018 Causes of Data Breaches
  • 48. No System is inherently Secure by Default, its Humans that make them that way.
  • 49. People Operate Differently when they expect things to fail
  • 50.
  • 51.
  • 53. “Chaos Engineering is the discipline of experimenting on a distributed system in order to build confidence in the system’s ability to withstand turbulent conditions” Chaos Engineering
  • 54. Who is doing Chaos?
  • 55.
  • 56.
  • 57. “[Chaos Engineering is] empirical rather than formal. We don’t use models to understand what the system should do. We run experiments to learn what it does.” - Michael T. Nygard
  • 58. Use Chaos to Establish Order
  • 60. ● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable Properties of a Chaos Experiment Game Days allow you to perform experiments with maximum visibility and coverage from component owners, support teams and product. ● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable
  • 61. Developing a Learning Culture around Failure ● Safety as part of security ● Building safety margin into systems ● Replace blame culture with learning culture ● Telemetry, experimentation, and instrumentation
  • 62. ● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable Chaos Engineering Maturity Despite what has been popularized on online tech blogs you do not start off performing Chaos Engineering on live production systems. There is a maturity ramp to getting there. ● Validate Chaos Tools in Lower Environment ● Develop Competency & Confidence in Tooling ● Dry-run experiments Warning: Still be careful in Non-Prod environments as you will be surprised what hazards lie in Non-Prod. (Kafka Story)
  • 63. ● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable Chaos Monkey Story ● During Business Hours ● Born out of Netflix Cloud Transformation ● Put well defined problems in front of engineers. ● Terminate VMs on Random VPC Instances
  • 64. ● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable Chaos Engineering Pro-Tips ● Don’t perform an experiment when you expect it to fail ● Auto Remediation of Experiments will end in a fiery Hell! ● Transparency is a Must ● Webcast & Record GameDays ● The process of creating the experiment and sharing the learnings is the highest-value of Chaos Engineering ● Chaos Engineering Goal: Share Team Mental Models is of High Importance Reference: Nora Jones 8 Traps of Chaos Engineering
  • 65. ● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable Chaos Pitfalls: Auto-Remediation “…an operator will only be able to generate successful new strategies for unusual situations if he has an adequate knowledge of the process.” “ Long term knowledge develops only through use and feedback about its effectiveness.” — Lisanne Bainbridge, The Ironies of Automation (1983) Bring context or chase down vulnerabilities for the service owner instead of automating fixes as this leads to a Fiery Hell! Reference: Nora Jones 8 Traps of Chaos Engineering
  • 66. ● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable Chaos Pitfalls:Breaking things on Purpose “I'm pretty sure I won’t have a job very long if I break things on purpose all day.” -Casey Rosenthal The purpose of Chaos Engineering is NOT to “Break Things on Purpose”. If anything we are trying to “Fix them on Purpose”! Reference: Nora Jones 8 Traps of Chaos Engineering
  • 67. ● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable Chaos Engineering Operational Models ● Organization-Wide Chaos Engineering Team ● Provide a Chaos Engineering Solution for Teams to Consume ● CentralTeam runs periodic Chaos Experiments as a Service ● Provide SREs with Chaos Toolsets “At Netflix Chaos Engineering was always meant to be a tools practice for SREs” - Casey Rosenthal
  • 68. ● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable GameDay Exercises ● 2-4 hrs in Length ● Diverse Cross Functional Group of Engineers ● Focused on Increasing Resilience ● Used for Manual Chaos Engineering ● Great Introduction to Chaos Engineering Recommendations ● Use GameDays for New Chaos Experiments ● Use GameDays for Initial Experiment Deployment on New Targets ● Use GameDays for Proving New Chaos Engineering Tools ● Get Everyone in the Same Location
  • 69. ● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable Experiment Lifecycle 1 Perform a GameDay Exercise Plan, Schedule, and Run a GameDay Exercise for New Experiments Validate Experiment Hypothesis Goal: Validate experiment ran successfully and that the results are credible. 2 Remediate Findings & Repeat Experiment If hypothesis failed for the experiment. Develop and remediate list of findings. Once remediated, repeat experiment 3 Once Successful: Automate Experiment Once the experiment has been proved to run successfully validating your hypothesis you can now automate the experiment runs periodically.. 4
  • 70. GameDays: The Basics Plan & Organize GameDay Exercise Execute Live GameDay Operations Automate & Evangelize Results & Take Action Chaos Experiment Develop & Evaluate Conduct Pre-Incident Review
  • 72. “The discipline of instrumentation, identification, and remediation of failure within security controls through proactive experimentation to build confidence in the system's ability to defend against malicious conditions in production.” Security Chaos Engineering is...
  • 77. ● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable Security Chaos Engineering: Is NOT ● Red Teaming ● Penetration Testing ● Adversary Based ● Focused on Attacks ● The process of creating the experiment and sharing the learnings is the highest-value of Chaos Engineering ● Chaos Engineering Goal: Share Team Mental Models is of High Importance
  • 79. @aaronrinehart @verica_io #chaosengineering ● Incident Response ● Solutions Architecture ● Security Control Validation ● Security Observability ● Continuous Verification ● Compliance Monitoring Use Cases
  • 81. ● Validate Runbooks ● Measure Team Skills ● Determine Control Effectiveness ● Learn new insights ● Transfer knowledge ● Build a learning culture “Security Chaos Engineering provides a new doorway for security value but what I like about it most is that it keeps the incident response team sharp.” - CISO, Fortune 5 Healthcare Company Applications
  • 83. We really don't know Where? Why? Who? What?How? very much
  • 84. “Response” is the problem with Incident Response
  • 85. Lets face it, when outages happen….. Teams spend too much time reacting to outages instead of building more resilient systems.
  • 86. Post Mortem = Preparation Lets Flip the Model
  • 87.
  • 88. Solution Architecture “More men(people) die from their remedies not their illnesses” - Jean-Baptiste Poquelin
  • 89. 89 Solutions Architecture needs reinvention “Dont bring a pattern to a gunfight” - Robert Duhart Ivory Tower Architecture
  • 90. 90 Incidents and breaches are hugely significant in creating change post facto. They tend to shape the designs and architecture of tomorrow's solutions -@allspaw Incidents Drive Design Changes
  • 92. Stop looking for better answers and start asking better questions. - John Allspaw
  • 93. What is the system actually doing? Has it done this before? Why is it behaving that way? What is it supposed to do next? How did it get into this state?
  • 94. How does My Security Really Work?
  • 95. What evidence do I have to prove it?
  • 96. Cloud Security Readiness ● Verify Saas Security Controls ● Verify Cloud Native Controls ● Verify Security Configuration
  • 99. Improve Value of Security Log Data ● How valuable is your log data? ● When do we ever assess this? ● We dont know our logs are shit until we absolutely need them ● Proactively determine quality of log data around experiments
  • 100. Verify Detection of Disabled Log Services “Security log pipelines are essential to the success of an information security program.” -Prima Virani, Pinterest Security
  • 102. Create Objective Feedback Loops about Security Effectiveness
  • 103. More Experiment Examples ● Internet exposed Kubernetes API ● Unauthorized Bad Container Repo ● Unencrypted S3 Bucket ● Disable MFA ● Bad AWS Automated Block Rule ● Software Secret Clear Text Disclosure ● Permission collision in Shared IAM Role Policy ● Disabled Service Event Logging ● Introduce Latency on Security Controls ● API Gateway Shutdown
  • 106. How does Security Chaos Engineering differ from Red Teaming, Purple Teaming or Pen Testing? Security Crayons
  • 107. ● Distributed Systems Focus ● Goal: Experimentation ● Human Factors focused ● Small Isolated Scope ● Focus on Cascading Events ● Performed by Mixed Engineering Teams in Gameday ● During business hours Differences in Scope, Focus, and Method
  • 110. Culture is the most important aspect to devops succeeding in the enterprise Patrick Debois, Creator of DevOps
  • 112. 112 Chaos ROI ● Metrics & Measurements ● Business Outcome-Based KPIs before Engineering Metrics ● Do not make the Case for the Outage that Never Happenned
  • 115.
  • 116.
  • 117.
  • 120. • ChatOps Integration • Configuration-as-Code • Example Code & Open Framework ChaoSlingr Product Features • Serverless App in AWS • 100% Native AWS • Configurable Operational Mode & Frequency • Opt-In | Opt-Out Model
  • 121. Hypothesis: If someone accidentally or maliciously introduced a misconfigured port then we would immediately detect, block, and alert on the event. Alert SOC? Config Mgmt? Misconfigured Port Injection IR Triage Log data? Wait... Firewall?
  • 122. Result: Hypothesis disproved. Firewall did not detect or block the change on all instances. Standard Port AAA security policy out of sync on the Portal Team instances. Port change did not trigger an alert and log data indicated successful change audit. However we unexpectedly learned the configuration mgmt tool caught change and alerted the SoC. Alert SOC? Config Mgmt? Misconfigured Port Injection IR Triage Log data? Wait... Firewall?
  • 123. Transforming how the world builds software © Copyright 2019 Pivotal Software, Inc. All rights Reserved.