Praise for Security Chaos Engineering
Security Chaos Engineering is a must read for technology leaders and engineers today, as we operate increasingly complex systems. Security Chaos Engineering presents clear evidence that systems resilience is a shared goal of both ops and security teams, and showcases tools and frameworks to measure, design, and instrument systems to improve the resilience and security of our systems.
10/10 strong recommend (kidding but also not).
Dr. Nicole Forsgren, lead author of Accelerate and partner at Microsoft Research
Shortridge weaves multiple under-served concepts into the books guidance, like recognizing human biases, the power of rehearsals, org design, complex systems, systems thinking, habits, design thinking, thinking like a product manager and a financial planner, and much more.
This book brings the reader in on a well-kept secret: security is more about people and processes than about technology. It is our mental models of those elements that drive our efforts and outcomes.
Bob Lord, former Chief Security Officer of the DNC and former Chief Information Security Officer of Yahoo
As our societies become more digitized then our software ecosystems are becoming ever more complex. While complexity can be considered the enemy of security, striving for simplicity as the sole tactic is not realistic. Rather, we need to manage complexity and a big part of that is chaos engineering. That is testing, probing, modeling, and nudging complex systems to a better state. This is tough, but Kelly and Aaron bring immense cross-domain, practical real-world experience to this area in a way that all security professionals should find accessible and fascinating.
Phil Venables, Chief Information Security Officer, Google Cloud
Security Chaos Engineering provides a much-needed reframing of cybersecurity that moves it away from arcane rules and rituals, replacing them with modern concepts from software and resiliency engineering. If you are looking for ways to uplift your security approaches and engage your whole engineering team in the process, this book is for you.
Camille Fournier, engineering leader and author, The Managers Path
We as defenders owe it to ourselves to make life as hard for attackers as possible. This essential work expertly frames this journey succinctly and clearly and is a must read for all technology leaders and security practitioners, especially in our cloud native world.
Rob Duhart, Jr., VP, Deputy Chief Information Security Officer and Chief Information Security Officer eCommerce at Walmart
Security Chaos Engineering is an unflinching look at how systems are secured in the real world. Shortridge understands both the human and the technical elements in security engineering.
George Neville-Neil, author of the Kode Vicious column in ACM Queue Magazine
Security masquerades as a technical problem, but it really cuts across all layers: organizational, cultural, managerial, temporal, historical, and technical. You cant even define security without thinking about human expectations, and the dividing line between flaw and vulnerability is non-technical. This thought-provoking book emphasizes the inherent complexity of security and the need for flexible and adaptive approaches that avoid both box-ticking and 0day-worship.
Thomas Dullien, founder, security researcher, and performance engineer
Security Chaos Engineering
by Kelly Shortridge with Aaron Rinehart
Copyright 2023 Aaron Rinehart and Kelly Shortridge. All rights reserved.
Printed in the United States of America.
Published by OReilly Media, Inc. , 1005 Gravenstein Highway North, Sebastopol, CA 95472.
OReilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com.
- Acquisitions Editor: John Devins
- Development Editor: Michele Cronin
- Production Editor: Clare Laylock
- Copyeditor: Nicole Tach
- Proofreader: Audrey Doyle
- Indexer: Sue Klefstad
- Interior Designer: David Futato
- Cover Designer: Karen Montgomery
- Illustrator: Kate Dullea
- Chapter-Opener Image Designer: Savannah Glitschka
- March 2023: First Edition
Revision History for the First Edition
- 2023-03-30: First Release
See http://oreilly.com/catalog/errata.csp?isbn=9781098113827 for release details.
The OReilly logo is a registered trademark of OReilly Media, Inc. Security Chaos Engineering, the cover image, and related trade dress are trademarks of OReilly Media, Inc.
The views expressed in this work are those of the authors and do not represent the publishers views. While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.
978-1-098-11382-7
[LSI]
Preface
In Lifes wave, in actions storm,
I float, up and down,
I blow, to and fro!
Birth and the tomb,
An eternal flow,
A woven changing,
A glow of Being.
Over Times quivering loom intent,
Working the Godheads living garment.
Faust
If youve worked with computers in a professional setting at any point since the dawn of the millennia, youve probably heard that security is important. By now, youve also probably realized cybersecurity is broken. Humans are entrusting us, as people working with software, with more and more of their lives and we are failing to keep that trust. Year after year, the same sorts of attacks ravage the coasts and heartlands of our ever-growing digital territories.
Meanwhile, the security industry accumulates power and money, indulging in newer, shinier technology and oft deepening their sanctimonious effrontery. Success outcomes remain amorphous; and in the background slinks an existential dread that security cant keep up with software. Fingers point and other fingers point back. Our security programs coagulate into performative ritualsa modern humoralism based in folk wisdom and tradition rather than empiricism. Software engineering teams simmer in resentment, yearning for answers on how to keep their systems safe without requiring ritual sacrifices. We know we can do better, but we struggle to chart a course when immersed in the murky obliqueness that is cybersecurity today.
A fundamental shift in both philosophy and practice is nigh. Cybersecurity must embrace the reality that failure will happen. Humans will click on things and sometimes it will be the wrong thing. The security implications of simple code changes wont be clear to developers. Mitigations will accidentally be disabled. Things will break (and are, in fact, breaking all the time). This shift requires us to transform toward resiliencethe ability to recover from failure and adapt as our context changes.
This book is an attack on current cybersecurity strategy and execution. To evoke author and activist Jane Jacobs, this attack is on the principles and aims that have shaped traditional cybersecurity strategy and execution, not quibbles about specific methods or design patterns.