RL Blog

Topics

All Blog PostsAppSec & Supply Chain SecurityDev & DevSecOpsProducts & TechnologySecurity OperationsThreat Research

Follow us

XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBluesky

Subscribe

Get the best of RL Blog delivered to your in-box weekly. Stay up to date on key trends, analysis and best practices across threat intelligence and software supply chain security.

ReversingLabs: The More Powerful, Cost-Effective Alternative to VirusTotalSee Why
Skip to main content
Contact UsSupportLoginBlogCommunity
reversinglabsReversingLabs: Home
Solutions
Secure Software OnboardingSecure Build & ReleaseProtect Virtual MachinesIntegrate Safe Open SourceGo Beyond the SBOM
Increase Email Threat ResilienceDetect Malware in File Shares & StorageAdvanced Malware Analysis SuiteICAP Enabled Solutions
Scalable File AnalysisHigh-Fidelity Threat IntelligenceCurated Ransomware FeedAutomate Malware Analysis Workflows
Product & Technology
Spectra Assure®Software Supply Chain SecuritySpectra DetectHigh-Speed, High-Volume, Large File AnalysisSpectra AnalyzeIn-Depth Malware Analysis & Hunting for the SOCSpectra IntelligenceAuthoritative Reputation Data & Intelligence
Spectra CoreIntegrations
Industry
Energy & UtilitiesFinanceHealthcareHigh TechPublic Sector
Partners
Become a PartnerValue-Added PartnersTechnology PartnersMarketplacesOEM Partners
Alliances
Resources
BlogContent LibraryCybersecurity GlossaryConversingLabs PodcastEvents & WebinarsLearning with ReversingLabsWeekly Insights Newsletter
Customer StoriesDemo VideosDocumentationOpenSource YARA Rules
Company
About UsLeadershipCareersSeries B Investment
EventsRL at RSAC
Press ReleasesIn the News
Pricing
Software Supply Chain SecurityMalware Analysis and Threat Hunting
Request a demo
Menu
AppSec & Supply Chain SecuritySeptember 20, 2023

The art of security chaos engineering

What if dev and app sec teams showed the same ingenuity, nimbleness and ruthless efficiency as cybercriminals? Fastly's Kelly Shortridge explains why that's essential to resilience.

paul roberts headshot black and white
Paul Roberts, Director of Content and Editorial at RLPaul Roberts
FacebookFacebookXX / TwitterLinkedInLinkedInblueskyBlueskyEmail Us
podcast title card the art of security chaos engineering with kelly shortride

One truism of the cybersecurity world is that attackers have a much easier job than defenders. Malicious cyber actors only need to find a single weak point in the IT armor defending their desired target to gain their foothold. Defenders, on the other hand, need to be perfect: Blocking any and all avenues an attacker might try to follow into a sensitive IT environment. And that includes anticipating and thwarting novel attacks and attack vectors that may have never been used before.

That’s a big ask. But what if development and application security teams showed the same ingenuity, nimbleness and ruthless efficiency as your average cybercrime group? What if the speed and suddenness of an attack by a ransomware group was met with a sudden and comprehensive “fix” by the would-be target — and one that was automated and didn’t rely on an IT staffer stumbling upon a ransom note?

That’s the vision of ConversingLabs guest Kelly Shortridge is advocating for. Shortridge is a Senior Principal at Fastly and the co-author with Aaron Rinehart of a new book, "Security Chaos Engineering: Sustaining Resilience in Software and Systems".

A speaker at the recent Black Hat Briefings in Las Vegas, Shortridge spoke to ConversingLabs' Paul Roberts about her new book — and about the challenges that DevOps organizations face as they try to respond to growing and rapidly changing cyber attacks.

See the Shortridge interview on ConversingLabs: The Art of Security Chaos Engineering

Toward a more resilient DevOps

One key strategy to achieving more resilient DevOps is to prioritize what has the biggest security impact, while also requiring the least amount of human compliance to carry out this prioritization. Shortridge talks about eliminating hazards in the design of your software, or removing hazardous methods and materials that create cyber risks, regardless of the best intentions of the developers or the development organization.

That could mean shifting from memory unsafe languages (like C) to memory safe languages like C#, Rust or Go. From a design perspective, that could mean emphasizing isolation as a way to limit the potential impact of attacks.

Think about it. If you have your billing service as a serverless function, it's going to be very difficult for attackers to move laterally, even to the database where that's hosting the billing data or to any other services. So you've contained the impact quite nicely.

Kelly Shortridge

Those kinds of secure by design concepts often take a back seat to the “bolt it on” approach that has dominated the information security industry for decades, and which dominate Black Hat and other industry conferences. This is what makes Shortridge stand out as an expert to catch up with.

In this episode, Shortridge talks about the idea of promoting resilience in application security design and about her new book, and how many of the goals of development teams to build applications that are reliable and performant overlap with the goals of security teams to deploy software that is resilient to attack.

You can watch the full ConversingLabs with Shortridge, The Art of Security Chaos Engineering, or listen to it wherever you get your podcasts.

Keep learning

  • Get up to speed on the state of software security with RL's Software Supply Chain Security Report 2026. Plus: See the the webinar to discussing the findings.
  • Learn why binary analysis is a must-have in the Gartner® CISO Playbook for Commercial Software Supply Chain Security.
  • Take action on securing AI/ML with our report: AI Is the Supply Chain. Plus: See RL's research on nullifAI and watch how RL discovered the novel threat.
  • Get the report: Go Beyond the SBOM. Plus: See the CycloneDX xBOM webinar.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Tags:AppSec & Supply Chain Security

More Blog Posts

AI agents risk

Claude Mythos: Get your AppSec game on

Anthropic's new AI is a 'step change' for exposing software flaws — but also ramps up exploits. Are you ready for it?

Learn More about Claude Mythos: Get your AppSec game on
Claude Mythos: Get your AppSec game on
28

28 application security stats that matter

AI and open source are redefining the software threat landscape. Here are the key statistics you need to know.

Learn More about 28 application security stats that matter
28 application security stats that matter
axios

Axios: How AppSec teams should respond

Here's a mitigations checklist and best practices. Plus: How RL’s xBOM and Spectra Assure Community can help.

Learn More about Axios: How AppSec teams should respond
Axios: How AppSec teams should respond
Software trust debt

How JPMC tackles software ‘trust debt’

JPMorgan Chase CISO Patrick Opet discussed his letter on third-party software risk — and how that has played out.

Learn More about How JPMC tackles software ‘trust debt’
How JPMC tackles software ‘trust debt’

Spectra Assure Free Trial

Get your 14-day free trial of Spectra Assure

Get Free TrialMore about Spectra Assure Free Trial
Blog
Events
About Us
Webinars
In the News
Careers
Demo Videos
Cybersecurity Glossary
Contact Us
reversinglabsReversingLabs: Home
Privacy PolicyCookiesImpressum
All rights reserved ReversingLabs © 2026
XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBlueskyRSSRSS
Back to Top