Security Controls for Safe Chaos Experimentation

The presentation discusses the use of chaos engineering in DevOps and how Litmus can be used to implement it. It also covers common security questions and challenges that arise when implementing chaos engineering.

• Chaos engineering can be used to test the resilience of systems and identify vulnerabilities
• Litmus is a tool that can be used to implement chaos engineering in DevOps
• Chaos experiments can be constructed using APIs and injected into pipelines using Chaos IPs
• Chaos hubs can be used to share chaos experiments across teams
• Common security questions and challenges include controlling access to chaos experiments, isolating namespaces for chaos engineering, and managing privileges through service accounts
• Litmus 3.0 beta is focused on making chaos engineering easier for developers to use
• Joining the Litmus community can provide opportunities for feedback and contributions

The presentation mentions that one of the security chaos experiments that can be conducted is to check if anyone has published a public S3 bucket in the organization. This anecdote illustrates the importance of identifying security vulnerabilities through chaos engineering.

An increasingly popular discipline that has added newer personas to its practitioner base in recent times, chaos engineering comes with its own security challenges. The ability to inject faults to simulate real-world events necessitates privileged execution modes, often considered risky and against the best practices advocated by security specialists. However, there are multiple ways to mitigate this challenge and leverage the benefits of chaos testing, albeit with careful planning and appropriate configuration aids. This talk will cover security considerations in chaos engineering from different perspectives, right from user authentication, fault-blacklisting for platform resources (services as well as cloud infra), runtime security for containers, integration with policy engines, secrets management etc. During this session, the presenters will also introduce the audience to a host of new features & capabilities in the LitmusChaos 3.0 beta release.