Security Chaos Engineering: Sustaining Resilience in Software and Systems

Information security is broken. Year after year, attackers remain unchallenged and undeterred, while engineering teams feel mounting pressure to design, build, and operate "secure" systems. Attacks can't be prevented, mental models of systems are incomplete, and our digital world constantly evolves. How can we verify that our systems behave the way we expect? What can we do to improve our systems' resilience?

In this pragmatic and comprehensive guide, author Kelly Shortridge helps you navigate the challenges of securing complex software systems (including case studies collected by Aaron Rinehart). Using the principles and practices of security chaos engineering, they explore how you can cultivate resilience across the software delivery lifecycle. Attackers and systems will change, but by preparing for adverse events you can ensure it does not disrupt your ability to innovate, move quickly, and achieve your engineering and business goals. You will:

  • Learn how to design a modern security program aligned to business and engineering goals
  • Make informed decisions at each phase of software delivery to nurture resilience and adaptive capacity
  • Understand the complex systems dynamics upon which resilience outcomes depend
  • Navigate technical and organizational trade-offs that distort decision making in systems
  • Explore chaos experimentation to verify critical assumptions about software quality and security
  • Peek behind the scenes of major enterprises that leverage security chaos engineering and learn from their practices

The book is now available on Amazon, Bookshop, Barnes & Noble, Target, and other retailers.

The Security Chaos Engineering Report

Information security is broken. Users and customers continually entrust companies with vital information, and companies continually fail to maintain that trust. Year after year, the same attacks are successful. But the impact has become greater. Those who build, operate, and defend systems need to acknowledge that failure will happen. People will click on the wrong thing. The security implications of code changes won’t be clear. Things will break.

In this report, Aaron Rinehart and Kelly Shortridge explain how engineers can navigate security in this new frontier. You’ll learn the guiding principles of security chaos engineering for harnessing experimentation and failure as tools for empowerment—and you’ll understand how to transform security from a gatekeeper to a valued advisor. Case studies from Capital One and Cardinal Health are included.

  • Apply chaos engineering and resilience engineering to securely deliver software and services
  • Transform security into an innovative and collaborative engine for enhancing operational speed and stability
  • Anticipate and identify security failure before it turns into an incident, outage, or breach
  • Harness failure to continuously improve your security strategy
  • Learn your systems’ ability to handle security-relevant failures such as system exploitation and server failures
  • Apply a series of controlled experiments in engineering testing processes

The report is available for free in the O'Reilly Library. Stay tuned for information about the full Security Chaos Engineering book, slated to come out towards the beginning of 2023.