SlideShare a Scribd company logo

VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"

Aaron Rinehart
Aaron Rinehart

This document provides an overview of a presentation on chaos engineering and security chaos engineering. The presentation covers United Health Group's journey to rugged DevOps, combating complexity in software, and approaches to chaos engineering and security chaos engineering. Specific topics discussed include automated security configuration and validation using Chef and Inspec, using Gauntlt for automated vulnerability scanning, lessons learned from DevOps transformations, and examples of chaos engineering experiments and game days.

Software
1 of 104
Download to read offline
@aaronrinehart @verica_io #chaosengineering Road from “Rugged to Chaos”
In this Session we will cover
@aaronrinehart @verica_io #chaosengineering ● Rugged DevOps Journey at United Health Group ● Combating Complexity in Software ● Chaos Engineering ● Resilience Engineering & Security ● Security Chaos Engineering Areas Covered
4 Aaron Rinehart, CTO, Founder ● Former Chief Security Architect @UnitedHealth responsible for security engineering strategy ● Led the DevOps and Open Source Transformation at UnitedHealth Group ● Former (DOD, NASA, DHS, CollegeBoard ) ● Frequent speaker and author on Chaos Engineering & Security ● Pioneer behind Security Chaos Engineering ● Led ChaoSlingr team at UnitedHealth @aaronrinehart @verica_io #chaosengineering Verica
My knowledge of DevOps & Agile when I started.
What is DevOps? “DevOps, a movement of people who care about developing and operating reliable, secure, high performance systems at scale, has always — intentionally — lacked a definition or manifesto.” – Jez Humble, author “The DevOps Handbook”
The Phoenix Project A Novel about IT, DevOps, and Helping Your Business Win •by Gene Kim, Kevin Bahr and George Spafford Our path begins… The DevOps Handbook How to create world-class agility, reliability, and security in technology organizations •by Gene Kim, Patrick Debois, John Willis, Jez Humble and John Allspaw
Our Journey: Developer Enablement 9 Develop the Tools, Techniques and Processes needed to deliver security services in a world of Continuous Delivery.
●Drive Security as a Function of Quality ●Building a Better Model: Continuous Delivery is Better Security ○ Focus on Delivering Value ○ Continuous Security Model ○ Enable DevOps Strategy and Automation A New Paradigm: Bold Steps
●Teams across Silos & Disciplines ○ 60 Developers, Operations Engineers, and Security Leaders from across the entire company. ●Began with Six Core DevOps Security Problem Sets ○ Security Baseline + Configuration Validation w/ Chef & Inspec ○ Gauntlt Rugged Attack Framework ○ Static Code Analysis (SAST): Automatiing Fortify with Jenkins via API ○ Application Vulnerability Scans(DAST): Automating WebInspect with Jenkins via API ○ DevOps Self-Governance & Operationalization Framework: How does this world look from an operational support perspective? ○ Clair Container Image Scanning: Building Image Scanning into Jenkins A Grass Roots Beginning
Chef + InSpec: Automated Security Configuration & Validation at Speed 12 Case Study: State Health Exchange
●Enable Deployment & Compliance at Speed and Scale ●Allow developers to leverage “Security”- Approved Chef server compliance cookbooks ●Compliance is built into the initial server standup process and immediately confirmed prior to release for use ○ No longer a late “add on” ○ It is “just another cookbook” that can be automatically applied Shift Left
Initial Approach: 15 weeks+ ● Stood up 300+ servers from service catalog over 1 weekend ● Waited weeks for extra build services beyond the catalog ● Allowed app and middleware teams to configure in parallel ● After 2+ months were able to apply compliance rules using Security Blanket ○ Required 2+ weeks just to run, Resulted in compliance tickets, Remediation and rework Alternatively: “Orders of Magnitude Differential” ○ Run Time: 300 servers⭢6 mins ⭢ 30 hours ○ Setup time: 40-100 hours *** DevOps & State Health Exchange Migration ● ● March April May June July
Gauntlt: “Be Mean to Your Code” 15 Case Study: Driving Security Testing into the Pipeline: Automated Vulnerability Scanning
Security as a Function of Quality: Gauntlt ○ An open source application vulnerability scanner engine that enables a self-service vulnerability resolution solution ○ Automates use of multiple vulnerability security scanning tools ○ Provides packages allowing developers to easily run self-service security checks against their applications ○ Scans begin immediately and take only minutes to complete
Lessons Learned in DevOps Transformation 17 Takeaways, that will fundamentally change the entire strategy.
Automation & Tools are Important but “Don’t be Distracted by it” 18 Emphasize …. Simplification & Standardization ….over Automation
Start Small & Focus 19 Shift Left……One capability at a time…
Embrace Failure as a Friend 20 Plan and expect failure as a positive outcome. Encourage teams to fail quickly and learn from them.
Seek the Input & Passion of Others 21 In the end, it has been the folks most passionate about each problem that achieved success.
Voice of the Customer 22 Define, understand, and listen to your customer as part of your journey. You will be surprised how eager they are to help you.
DevsecOps over next 5 Years: Written 3 years ago.. 23 The Next Generation of Security Professionals will be Chosen from DevOps Teams 1 A Big Data Problem: The challenge becomes more about the data outputs than the toolsets.2 Shared Responsibility becomes more of a reality.3 Security is seen as an integral part of the value stream4 There will be a new breed of security capabilities created by Inner Source efforts. i.e. Netflix Security Monkey5
• Fail small, fail fast • Its a culture shift, not just about automation • Drive out complexity: Complex things don’t scale • Avoid Analysis Paralysis: DevOps is a culture and a living organism • DevOps is not a fad, it is the future • Automation: Focus on where the human adds value. Automate everything else. Key Takeaways 24
Incidents,Outages, & Breaches are Costly
The Obvious Problem
Why do they seem to be happening more often?
@aaronrinehart @verica_io #chaosengineering Combating Complexity in Software
“The growth of complexity in society has got ahead of our understanding of how complex systems work and fail” -Sydney Dekker
Our systems have evolved beyond human ability to mentally model their behavior. 30
Our systems have evolved beyond human ability to mentally model their behavior. 31 everyone else
Circuit Breaker Patterns Continuous Delivery Distributed Systems Blue/Green Deployments Cloud Computing Service Mesh Containers Immutable Infrastructur e Infracod e Continuous Integration Microservice Architectures API Auto Canaries CI/CD DevOps Automation Pipelines Complex?
Mostly Monolithic Requires Domain Knowledge Prevention focused Poorly Aligned Defense in Depth Stateful in nature DevSecOps not widely adopted Security? Expert Systems Adversary Focused
Simplify?
Software has officially taken over
Software Only Increases in Complexity
Accidental Essential Software Complexity
“As the complexity of a system increases, the accuracy of any single agent’s own model of that system decreases” - Dr. David Woods Woods Theorem:
What about my systems?
How well do you really understand how your system works?
Systems Engineering is Messy In Reality…….
In the beginning...we think it looks like
After a few months…. Hard Coded Passwords Identity Conflicts Lead Software Engineering finds a new job at Google New Security Tool Refactor Pricing 300 Microservices Δ-> 850 Microservices Cloud Provider API Outage WAF Outage -> DisabledScalability Issues Network is Unreliable Autoscaling Keeps Breaking Large Customer Outage Delayed Features DNS Resolution ErrorsExpired Certificate Regulatory Audit Rolling Sev1 Outage on Portal Code Freeze
Years?…. Hard Coded Passwords Identity Conflicts Lead Software Engineering finds a new job at Google New Security Tool Refactor Pricing 300 Microservices Δ-> 4000 Microservices Cloud Provider API Outage Firewall Outage -> Disabled Scalability Issues Network is Unreliable Autoscaling Keeps Breaking Large Customer Outage Delayed Features DNS Resolution Errors Expired Certificate Regulatory Audit Rolling Sev1 Outages on Portal Code Freeze Hard Coded Passwords Identity Conflicts Lead Software Engineering finds a new job at Google New Security Tool Refactor Pricing 300 Microservices Δ-> 850 Microservices Cloud Provider API Outage WAF Outage -> DisabledScalability Issues Network is Unreliable Autoscaling Keeps Breaking Large CustomerDelayed Features DNS Resolution ErrorsExpired Certificate Regulatory Audit Rolling Sev1 Outage on Portal Merger with competitor Misconfigured FW Rule Outage Database Outage Portal Retry Storm Outage Orphaned Documentation Corporate Reorg Budget Freeze Outsource overseas development Exposed Secrets on GithuCode Freeze b Migration to New CSP Upgrade to Java SE 12
Our systems become more complex and messy than we remember them
Difficult to Mentally Model
Avoid Running in the Dark @aaronrinehart @verica_io #chaosengineering
So what does all of this $&%* have to do with Security?
Failure Happens Alot
The Normal Condition is to FAIL
We need failure to Learn & Grow 52
“things that have never happened before happen all the time” –Scott Sagan “The Limits of Safety”
What happens when our Security fails?
How do we typically discover when our security measures fail?
Security Incidents Typically we dont find out our security is failing until there is an security incident.
Vanishing Traces All we typically ever see is the Footsteps in the Sand -Allspaw Logs, Stack Traces, Alerts
Security incidents are not effective measures of detection because at that point it's already too late
What typically causes our security to fail?
2018 Causes of Data Breaches
2018 Causes of Data Breaches
2018 Causes of Data Breaches
2018 Causes of Data Breaches
‘Human-Error’, Root Cause, & Blame Culture
No System is inherently Secure by Default, its Humans that make them that way.
People Operate Differently when they expect things to fail
@aaronrinehart @verica_io #chaosengineering Chaos Engineering
“Chaos Engineering is the discipline of experimenting on a distributed system in order to build confidence in the system’s ability to withstand turbulent conditions” Chaos Engineering
Who is doing Chaos?
“[Chaos Engineering is] empirical rather than formal. We don’t use models to understand what the system should do. We run experiments to learn what it does.” - Michael T. Nygard
Use Chaos to Establish Order
Testing vs. Experimentation
● ● ● ● ● ● Chaos Engineering Maturity Despite what has been popularized on online tech blogs you do not start off performing Chaos Engineering on live production systems. There is a maturity ramp to getting there. ● Validate Chaos Tools in Lower Environment ● Develop Competency & Confidence in Tooling ● Dry-run experiments Warning: Still be careful in Non-Prod environments as you will be surprised what hazards lie in Non-Prod. (Kafka Story)
● ● ● ● ● ● Chaos Monkey Story ● During Business Hours ● Born out of Netflix Cloud Transformation ● Put well defined problems in front of engineers. ● Terminate VMs on Random VPC Instances
● ● ● ● ● ● Chaos Pitfalls: Auto-Remediation “…an operator will only be able to generate successful new strategies for unusual situations if he has an adequate knowledge of the process.” “ Long term knowledge develops only through use and feedback about its effectiveness.” — Lisanne Bainbridge, The Ironies of Automation (1983) Bring context or chase down vulnerabilities for the service owner instead of automating fixes as this leads to a Fiery Hell! Reference: Nora Jones 8 Traps of Chaos Engineering
● ● ● ● ● ● Chaos Pitfalls:Breaking things on Purpose “I'm pretty sure I won’t have a job very long if I break things on purpose all day.” -Casey Rosenthal The purpose of Chaos Engineering is NOT to “Break Things on Purpose”. If anything we are trying to “Fix them on Purpose”! Reference: Nora Jones 8 Traps of Chaos Engineering
● ● ● ● ● ● GameDay Exercises ● 2-4 hrs in Length ● Diverse Cross Functional Group of Engineers ● Focused on Increasing Resilience ● Used for Manual Chaos Engineering ● Great Introduction to Chaos Engineering Recommendations ● Use GameDays for New Chaos Experiments ● Use GameDays for Initial Experiment Deployment on New Targets ● Use GameDays for Proving New Chaos Engineering Tools ● Get Everyone in the Same Location
● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable Experiment Lifecycle 1 Perform a GameDay Exercise Plan, Schedule, and Run a GameDay Exercise for New Experiments Validate Experiment Hypothesis Goal: Validate experiment ran successfully and that the results are credible. 2 Remediate Findings & Repeat Experiment If hypothesis failed for the experiment. Develop and remediate list of findings. Once remediated, repeat experiment 3 Once Successful: Automate Experiment Once the experiment has been proved to run successfully validating your hypothesis you can now automate the experiment runs periodically.. 4
GameDays: The Basics Plan & Organize GameDay Exercise Execute Live GameDay Operations Automate & Evangelize Results & Take Action Chaos Experiment Develop & Evaluate Conduct Pre-Incident Review
@aaronrinehart @verica_io #chaosengineering Security Chaos Engineering
“The discipline of instrumentation, identification, and remediation of failure within security controls through proactive experimentation to build confidence in the system's ability to defend against malicious conditions in production.” Security Chaos Engineering is...
Continuous Security Verification
Proactively Manage & Measure
Reduce Uncertainty by Building Confidence
Build Confidence in What Actually Works
@aaronrinehart @verica_io #chaosengineering Security Chaos Engineering Use Cases
Incident Response
Security Incidents are Subjective in Nature
We really don't know Where? Why? Who? What?How? very much
“Response” is the problem with Incident Response
Lets face it, when outages happen….. Teams spend too much time reacting to outages instead of building more resilient systems.
Post Mortem = Preparation Lets Flip the Model
Solution Architecture “More men(people) die from their remedies not their illnesses” - Jean-Baptiste Poquelin
103 Solutions Architecture needs reinvention Patterns never worked Ivory Tower Architecture
106 An Open Source Tool
• ChatOps Integration • Configuration-as-Code • Example Code & Open Framework ChaoSlingr Product Features • Serverless App in AWS • 100% Native AWS • Configurable Operational Mode & Frequency • Opt-In | Opt-Out Model
Hypothesis: If someone accidentally or maliciously introduced a misconfigured port then we would immediately detect, block, and alert on the event. Alert SOC? Config Mgmt? Misconfigured Port Injection IR Triage Log data? Wait... Firewall?
Result: Hypothesis disproved. Firewall did not detect or block the change on all instances. Standard Port AAA security policy out of sync on the Portal Team instances. Port change did not trigger an alert and log data indicated successful change audit. However we unexpectedly learned the configuration mgmt tool caught change and alerted the SoC. Alert SOC? Config Mgmt? Misconfigured Port Injection IR Triage Log data? Wait... Firewall?
Stop looking for better answers and start asking better questions. - John Allspaw
Q&A @aaronrinehart aaron@verica.io

Recommended

AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019
Aaron Rinehart
 
OWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos EngineeringOWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos Engineering
Aaron Rinehart
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
DJ Schleen
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
Aaron Rinehart
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
Aaron Rinehart
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering
Aaron Rinehart
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
Aaron Rinehart
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos Testing
Aaron Rinehart
 

Recommended

AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019
Aaron Rinehart
 
OWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos EngineeringOWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos Engineering
Aaron Rinehart
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
DJ Schleen
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
Aaron Rinehart
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
Aaron Rinehart
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering
Aaron Rinehart
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
Aaron Rinehart
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos Testing
Aaron Rinehart
 
DevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringDevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos Engineering
Aaron Rinehart
 
Pivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringPivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos Engineering
Aaron Rinehart
 
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos EngineeringRSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
Aaron Rinehart
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in Production
Keet Sugathadasa
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security Precognition
Aaron Rinehart
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native security
Kennedy
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
AllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security Differently
Aaron Rinehart
 
S360 2015 dev_secops_program
S360 2015 dev_secops_programS360 2015 dev_secops_program
S360 2015 dev_secops_program
Shannon Lietz
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
Stefan Streichsbier
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
Elizabeth Ayer
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
 
A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SRE
James Wickett
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
James Wickett
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
Shannon Lietz
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
Shannon Lietz
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
The Future of DevSecOps
The Future of DevSecOpsThe Future of DevSecOps
The Future of DevSecOps
Stefan Streichsbier
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019
Stefan Streichsbier
 

More Related Content

What's hot

DevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringDevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos Engineering
Aaron Rinehart
 
Pivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringPivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos Engineering
Aaron Rinehart
 
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos EngineeringRSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
Aaron Rinehart
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in Production
Keet Sugathadasa
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security Precognition
Aaron Rinehart
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native security
Kennedy
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
AllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security Differently
Aaron Rinehart
 
S360 2015 dev_secops_program
S360 2015 dev_secops_programS360 2015 dev_secops_program
S360 2015 dev_secops_program
Shannon Lietz
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
Stefan Streichsbier
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
Elizabeth Ayer
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
 
A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SRE
James Wickett
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
James Wickett
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
Shannon Lietz
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
Shannon Lietz
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
The Future of DevSecOps
The Future of DevSecOpsThe Future of DevSecOps
The Future of DevSecOps
Stefan Streichsbier
 

What's hot (20)

DevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringDevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos Engineering
 
Pivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringPivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos Engineering
 
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos EngineeringRSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in Production
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security Precognition
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native security
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 
AllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security Differently
 
S360 2015 dev_secops_program
S360 2015 dev_secops_programS360 2015 dev_secops_program
S360 2015 dev_secops_program
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SRE
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
The Future of DevSecOps
The Future of DevSecOpsThe Future of DevSecOps
The Future of DevSecOps
 

Similar to VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"

SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019
Stefan Streichsbier
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019
Stefan Streichsbier
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
Amazon Web Services
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
Stefan Streichsbier
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
SeniorStoryteller
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdf
Vishwas N
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
lior mazor
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
SeniorStoryteller
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
devopsdaysaustin
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
SeniorStoryteller
 
ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020 ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020
Aaron Rinehart
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
Is DevOps Braking Your Company?
Is DevOps Braking Your Company?Is DevOps Braking Your Company?
Is DevOps Braking Your Company?
conjur_inc
 
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
Amazon Web Services
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24
 

Similar to VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering" (20)

SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdf
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020 ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Is DevOps Braking Your Company?
Is DevOps Braking Your Company?Is DevOps Braking Your Company?
Is DevOps Braking Your Company?
 
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
 

More from Aaron Rinehart

Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...
Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...
Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...
Aaron Rinehart
 
Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019
Aaron Rinehart
 
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Aaron Rinehart
 
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
Aaron Rinehart
 
GDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringGDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos Engineering
Aaron Rinehart
 
Does 2018 presentation rinehart - how to train your dragons
Does 2018 presentation rinehart - how to train your dragonsDoes 2018 presentation rinehart - how to train your dragons
Does 2018 presentation rinehart - how to train your dragons
Aaron Rinehart
 
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the Unknown
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the UnknownAllDayDevOps : DevSecOps & Chaos Engineering: Knowing the Unknown
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the Unknown
Aaron Rinehart
 
TestBed-Cyber-Security-Workshops
TestBed-Cyber-Security-WorkshopsTestBed-Cyber-Security-Workshops
TestBed-Cyber-Security-WorkshopsAaron Rinehart
 

More from Aaron Rinehart (8)

Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...
Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...
Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...
 
Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019
 
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
 
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
 
GDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringGDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos Engineering
 
Does 2018 presentation rinehart - how to train your dragons
Does 2018 presentation rinehart - how to train your dragonsDoes 2018 presentation rinehart - how to train your dragons
Does 2018 presentation rinehart - how to train your dragons
 
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the Unknown
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the UnknownAllDayDevOps : DevSecOps & Chaos Engineering: Knowing the Unknown
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the Unknown
 
TestBed-Cyber-Security-Workshops
TestBed-Cyber-Security-WorkshopsTestBed-Cyber-Security-Workshops
TestBed-Cyber-Security-Workshops
 

Recently uploaded

Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
Tier1 app
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Google
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
Ortus Solutions, Corp
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Shahin Sheidaei
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 

Recently uploaded (20)

Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 

VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"

  • 2. In this Session we will cover
  • 3. @aaronrinehart @verica_io #chaosengineering ● Rugged DevOps Journey at United Health Group ● Combating Complexity in Software ● Chaos Engineering ● Resilience Engineering & Security ● Security Chaos Engineering Areas Covered
  • 4. 4 Aaron Rinehart, CTO, Founder ● Former Chief Security Architect @UnitedHealth responsible for security engineering strategy ● Led the DevOps and Open Source Transformation at UnitedHealth Group ● Former (DOD, NASA, DHS, CollegeBoard ) ● Frequent speaker and author on Chaos Engineering & Security ● Pioneer behind Security Chaos Engineering ● Led ChaoSlingr team at UnitedHealth @aaronrinehart @verica_io #chaosengineering Verica
  • 5. My knowledge of DevOps & Agile when I started.
  • 6. What is DevOps? “DevOps, a movement of people who care about developing and operating reliable, secure, high performance systems at scale, has always — intentionally — lacked a definition or manifesto.” – Jez Humble, author “The DevOps Handbook”
  • 7. The Phoenix Project A Novel about IT, DevOps, and Helping Your Business Win •by Gene Kim, Kevin Bahr and George Spafford Our path begins… The DevOps Handbook How to create world-class agility, reliability, and security in technology organizations •by Gene Kim, Patrick Debois, John Willis, Jez Humble and John Allspaw
  • 8. Our Journey: Developer Enablement 9 Develop the Tools, Techniques and Processes needed to deliver security services in a world of Continuous Delivery.
  • 9. ●Drive Security as a Function of Quality ●Building a Better Model: Continuous Delivery is Better Security ○ Focus on Delivering Value ○ Continuous Security Model ○ Enable DevOps Strategy and Automation A New Paradigm: Bold Steps
  • 10. ●Teams across Silos & Disciplines ○ 60 Developers, Operations Engineers, and Security Leaders from across the entire company. ●Began with Six Core DevOps Security Problem Sets ○ Security Baseline + Configuration Validation w/ Chef & Inspec ○ Gauntlt Rugged Attack Framework ○ Static Code Analysis (SAST): Automatiing Fortify with Jenkins via API ○ Application Vulnerability Scans(DAST): Automating WebInspect with Jenkins via API ○ DevOps Self-Governance & Operationalization Framework: How does this world look from an operational support perspective? ○ Clair Container Image Scanning: Building Image Scanning into Jenkins A Grass Roots Beginning
  • 11. Chef + InSpec: Automated Security Configuration & Validation at Speed 12 Case Study: State Health Exchange
  • 12. ●Enable Deployment & Compliance at Speed and Scale ●Allow developers to leverage “Security”- Approved Chef server compliance cookbooks ●Compliance is built into the initial server standup process and immediately confirmed prior to release for use ○ No longer a late “add on” ○ It is “just another cookbook” that can be automatically applied Shift Left
  • 13. Initial Approach: 15 weeks+ ● Stood up 300+ servers from service catalog over 1 weekend ● Waited weeks for extra build services beyond the catalog ● Allowed app and middleware teams to configure in parallel ● After 2+ months were able to apply compliance rules using Security Blanket ○ Required 2+ weeks just to run, Resulted in compliance tickets, Remediation and rework Alternatively: “Orders of Magnitude Differential” ○ Run Time: 300 servers⭢6 mins ⭢ 30 hours ○ Setup time: 40-100 hours *** DevOps & State Health Exchange Migration ● ● March April May June July
  • 14. Gauntlt: “Be Mean to Your Code” 15 Case Study: Driving Security Testing into the Pipeline: Automated Vulnerability Scanning
  • 15. Security as a Function of Quality: Gauntlt ○ An open source application vulnerability scanner engine that enables a self-service vulnerability resolution solution ○ Automates use of multiple vulnerability security scanning tools ○ Provides packages allowing developers to easily run self-service security checks against their applications ○ Scans begin immediately and take only minutes to complete
  • 16. Lessons Learned in DevOps Transformation 17 Takeaways, that will fundamentally change the entire strategy.
  • 17. Automation & Tools are Important but “Don’t be Distracted by it” 18 Emphasize …. Simplification & Standardization ….over Automation
  • 18. Start Small & Focus 19 Shift Left……One capability at a time…
  • 19. Embrace Failure as a Friend 20 Plan and expect failure as a positive outcome. Encourage teams to fail quickly and learn from them.
  • 20. Seek the Input & Passion of Others 21 In the end, it has been the folks most passionate about each problem that achieved success.
  • 21. Voice of the Customer 22 Define, understand, and listen to your customer as part of your journey. You will be surprised how eager they are to help you.
  • 22. DevsecOps over next 5 Years: Written 3 years ago.. 23 The Next Generation of Security Professionals will be Chosen from DevOps Teams 1 A Big Data Problem: The challenge becomes more about the data outputs than the toolsets.2 Shared Responsibility becomes more of a reality.3 Security is seen as an integral part of the value stream4 There will be a new breed of security capabilities created by Inner Source efforts. i.e. Netflix Security Monkey5
  • 23. • Fail small, fail fast • Its a culture shift, not just about automation • Drive out complexity: Complex things don’t scale • Avoid Analysis Paralysis: DevOps is a culture and a living organism • DevOps is not a fad, it is the future • Automation: Focus on where the human adds value. Automate everything else. Key Takeaways 24
  • 26. Why do they seem to be happening more often?
  • 28. “The growth of complexity in society has got ahead of our understanding of how complex systems work and fail” -Sydney Dekker
  • 29. Our systems have evolved beyond human ability to mentally model their behavior. 30
  • 30. Our systems have evolved beyond human ability to mentally model their behavior. 31 everyone else
  • 31.
  • 32. Circuit Breaker Patterns Continuous Delivery Distributed Systems Blue/Green Deployments Cloud Computing Service Mesh Containers Immutable Infrastructur e Infracod e Continuous Integration Microservice Architectures API Auto Canaries CI/CD DevOps Automation Pipelines Complex?
  • 33. Mostly Monolithic Requires Domain Knowledge Prevention focused Poorly Aligned Defense in Depth Stateful in nature DevSecOps not widely adopted Security? Expert Systems Adversary Focused
  • 36. Software Only Increases in Complexity
  • 38. “As the complexity of a system increases, the accuracy of any single agent’s own model of that system decreases” - Dr. David Woods Woods Theorem:
  • 39. What about my systems?
  • 40. How well do you really understand how your system works?
  • 43. After a few months…. Hard Coded Passwords Identity Conflicts Lead Software Engineering finds a new job at Google New Security Tool Refactor Pricing 300 Microservices Δ-> 850 Microservices Cloud Provider API Outage WAF Outage -> DisabledScalability Issues Network is Unreliable Autoscaling Keeps Breaking Large Customer Outage Delayed Features DNS Resolution ErrorsExpired Certificate Regulatory Audit Rolling Sev1 Outage on Portal Code Freeze
  • 44. Years?…. Hard Coded Passwords Identity Conflicts Lead Software Engineering finds a new job at Google New Security Tool Refactor Pricing 300 Microservices Δ-> 4000 Microservices Cloud Provider API Outage Firewall Outage -> Disabled Scalability Issues Network is Unreliable Autoscaling Keeps Breaking Large Customer Outage Delayed Features DNS Resolution Errors Expired Certificate Regulatory Audit Rolling Sev1 Outages on Portal Code Freeze Hard Coded Passwords Identity Conflicts Lead Software Engineering finds a new job at Google New Security Tool Refactor Pricing 300 Microservices Δ-> 850 Microservices Cloud Provider API Outage WAF Outage -> DisabledScalability Issues Network is Unreliable Autoscaling Keeps Breaking Large CustomerDelayed Features DNS Resolution ErrorsExpired Certificate Regulatory Audit Rolling Sev1 Outage on Portal Merger with competitor Misconfigured FW Rule Outage Database Outage Portal Retry Storm Outage Orphaned Documentation Corporate Reorg Budget Freeze Outsource overseas development Exposed Secrets on GithuCode Freeze b Migration to New CSP Upgrade to Java SE 12
  • 45. Our systems become more complex and messy than we remember them
  • 47. Avoid Running in the Dark @aaronrinehart @verica_io #chaosengineering
  • 48. So what does all of this $&%* have to do with Security?
  • 51. We need failure to Learn & Grow 52
  • 52. “things that have never happened before happen all the time” –Scott Sagan “The Limits of Safety”
  • 53. What happens when our Security fails?
  • 54. How do we typically discover when our security measures fail?
  • 55. Security Incidents Typically we dont find out our security is failing until there is an security incident.
  • 56. Vanishing Traces All we typically ever see is the Footsteps in the Sand -Allspaw Logs, Stack Traces, Alerts
  • 57. Security incidents are not effective measures of detection because at that point it's already too late
  • 58. What typically causes our security to fail?
  • 59. 2018 Causes of Data Breaches
  • 60. 2018 Causes of Data Breaches
  • 61. 2018 Causes of Data Breaches
  • 62. 2018 Causes of Data Breaches
  • 64. No System is inherently Secure by Default, its Humans that make them that way.
  • 65. People Operate Differently when they expect things to fail
  • 66.
  • 67.
  • 69. “Chaos Engineering is the discipline of experimenting on a distributed system in order to build confidence in the system’s ability to withstand turbulent conditions” Chaos Engineering
  • 70. Who is doing Chaos?
  • 71.
  • 72.
  • 73. “[Chaos Engineering is] empirical rather than formal. We don’t use models to understand what the system should do. We run experiments to learn what it does.” - Michael T. Nygard
  • 74. Use Chaos to Establish Order
  • 76. ● ● ● ● ● ● Chaos Engineering Maturity Despite what has been popularized on online tech blogs you do not start off performing Chaos Engineering on live production systems. There is a maturity ramp to getting there. ● Validate Chaos Tools in Lower Environment ● Develop Competency & Confidence in Tooling ● Dry-run experiments Warning: Still be careful in Non-Prod environments as you will be surprised what hazards lie in Non-Prod. (Kafka Story)
  • 77. ● ● ● ● ● ● Chaos Monkey Story ● During Business Hours ● Born out of Netflix Cloud Transformation ● Put well defined problems in front of engineers. ● Terminate VMs on Random VPC Instances
  • 78. ● ● ● ● ● ● Chaos Pitfalls: Auto-Remediation “…an operator will only be able to generate successful new strategies for unusual situations if he has an adequate knowledge of the process.” “ Long term knowledge develops only through use and feedback about its effectiveness.” — Lisanne Bainbridge, The Ironies of Automation (1983) Bring context or chase down vulnerabilities for the service owner instead of automating fixes as this leads to a Fiery Hell! Reference: Nora Jones 8 Traps of Chaos Engineering
  • 79. ● ● ● ● ● ● Chaos Pitfalls:Breaking things on Purpose “I'm pretty sure I won’t have a job very long if I break things on purpose all day.” -Casey Rosenthal The purpose of Chaos Engineering is NOT to “Break Things on Purpose”. If anything we are trying to “Fix them on Purpose”! Reference: Nora Jones 8 Traps of Chaos Engineering
  • 80. ● ● ● ● ● ● GameDay Exercises ● 2-4 hrs in Length ● Diverse Cross Functional Group of Engineers ● Focused on Increasing Resilience ● Used for Manual Chaos Engineering ● Great Introduction to Chaos Engineering Recommendations ● Use GameDays for New Chaos Experiments ● Use GameDays for Initial Experiment Deployment on New Targets ● Use GameDays for Proving New Chaos Engineering Tools ● Get Everyone in the Same Location
  • 81. ● Define steady state ● Formulate hypothesis ● Outline methodology ● Identify blast radius ● Observability is key ● Readily abortable Experiment Lifecycle 1 Perform a GameDay Exercise Plan, Schedule, and Run a GameDay Exercise for New Experiments Validate Experiment Hypothesis Goal: Validate experiment ran successfully and that the results are credible. 2 Remediate Findings & Repeat Experiment If hypothesis failed for the experiment. Develop and remediate list of findings. Once remediated, repeat experiment 3 Once Successful: Automate Experiment Once the experiment has been proved to run successfully validating your hypothesis you can now automate the experiment runs periodically.. 4
  • 82. GameDays: The Basics Plan & Organize GameDay Exercise Execute Live GameDay Operations Automate & Evangelize Results & Take Action Chaos Experiment Develop & Evaluate Conduct Pre-Incident Review
  • 84. “The discipline of instrumentation, identification, and remediation of failure within security controls through proactive experimentation to build confidence in the system's ability to defend against malicious conditions in production.” Security Chaos Engineering is...
  • 92. We really don't know Where? Why? Who? What?How? very much
  • 93. “Response” is the problem with Incident Response
  • 94. Lets face it, when outages happen….. Teams spend too much time reacting to outages instead of building more resilient systems.
  • 95. Post Mortem = Preparation Lets Flip the Model
  • 96.
  • 97. Solution Architecture “More men(people) die from their remedies not their illnesses” - Jean-Baptiste Poquelin
  • 98. 103 Solutions Architecture needs reinvention Patterns never worked Ivory Tower Architecture
  • 100. • ChatOps Integration • Configuration-as-Code • Example Code & Open Framework ChaoSlingr Product Features • Serverless App in AWS • 100% Native AWS • Configurable Operational Mode & Frequency • Opt-In | Opt-Out Model
  • 101. Hypothesis: If someone accidentally or maliciously introduced a misconfigured port then we would immediately detect, block, and alert on the event. Alert SOC? Config Mgmt? Misconfigured Port Injection IR Triage Log data? Wait... Firewall?
  • 102. Result: Hypothesis disproved. Firewall did not detect or block the change on all instances. Standard Port AAA security policy out of sync on the Portal Team instances. Port change did not trigger an alert and log data indicated successful change audit. However we unexpectedly learned the configuration mgmt tool caught change and alerted the SoC. Alert SOC? Config Mgmt? Misconfigured Port Injection IR Triage Log data? Wait... Firewall?
  • 103. Stop looking for better answers and start asking better questions. - John Allspaw