The art of security chaos engineering

One truism of the cybersecurity world is that attackers have a much easier job than defenders. Malicious cyber actors only need to find a single weak point in the IT armor defending their desired target to gain their foothold. Defenders, on the other hand, need to be perfect: Blocking any and all avenues an attacker might try to follow into a sensitive IT environment. And that includes anticipating and thwarting novel attacks and attack vectors that may have never been used before.

That’s a big ask. But what if development and application security teams showed the same ingenuity, nimbleness and ruthless efficiency as your average cybercrime group? What if the speed and suddenness of an attack by a ransomware group was met with a sudden and comprehensive “fix” by the would-be target — and one that was automated and didn’t rely on an IT staffer stumbling upon a ransom note?

That’s the vision of ConversingLabs guest Kelly Shortridge is advocating for. Shortridge is a Senior Principal at Fastly and the co-author with Aaron Rinehart of a new book, "Security Chaos Engineering: Sustaining Resilience in Software and Systems".

A speaker at the recent Black Hat Briefings in Las Vegas, Shortridge spoke to ConversingLabs' Paul Roberts about her new book — and about the challenges that DevOps organizations face as they try to respond to growing and rapidly changing cyber attacks.

See the Shortridge interview on ConversingLabs: The Art of Security Chaos Engineering

Toward a more resilient DevOps

One key strategy to achieving more resilient DevOps is to prioritize what has the biggest security impact, while also requiring the least amount of human compliance to carry out this prioritization. Shortridge talks about eliminating hazards in the design of your software, or removing hazardous methods and materials that create cyber risks, regardless of the best intentions of the developers or the development organization.

That could mean shifting from memory unsafe languages (like C) to memory safe languages like C#, Rust or Go. From a design perspective, that could mean emphasizing isolation as a way to limit the potential impact of attacks.

Think about it. If you have your billing service as a serverless function, it's going to be very difficult for attackers to move laterally, even to the database where that's hosting the billing data or to any other services. So you've contained the impact quite nicely.

Kelly Shortridge

Those kinds of secure by design concepts often take a back seat to the “bolt it on” approach that has dominated the information security industry for decades, and which dominate Black Hat and other industry conferences. This is what makes Shortridge stand out as an expert to catch up with.

In this episode, Shortridge talks about the idea of promoting resilience in application security design and about her new book, and how many of the goals of development teams to build applications that are reliable and performant overlap with the goals of security teams to deploy software that is resilient to attack.

You can watch the full ConversingLabs with Shortridge, The Art of Security Chaos Engineering, or listen to it wherever you get your podcasts.