An overview of Security #chaosengineering, as explained with potty training analogies.

(Can you tell what my world has consisted of lately?)

A thread.

1/

#chaosengineering is about injecting turbulent conditions into a system to see how it responds.

Analogy: Pump your kid full of fluids and begin the potty training.

2

The goal of Security #chaosengineering is to proactively test your security posture before an adversary does it for you.

Analogy: You potty train kids before they go to preschool, where it’s required.

3/

With Security #chaosengineering, you *instrument* chaos; you don’t act chaotically.

Analogy: You don’t let your kid drink a large apple juice and then sit on your brand new couch.

4/

With Security #chaosengineering, you learn through failure, and that failure drives meaningful change.

Analogy: Sometimes your kid has to pee their pants to know they don’t like that feeling, and only then will they WANT to use the potty.

5/

It’s through #chaosengineering experimentation where you can tease out false assumptions.

Analogy: TIL my kid thought I could squeeze his belly to get the pee out for him. Turns out, that’s not true.

6/

But Jamie, don’t you say you shouldn’t execute an experiment you know you’ll fail – because there’s nothing to be learned?

Analogy: Technically, my kid didn’t know that last one, so we tried it.

Ok, maybe I concede a bit.

7/

Great use cases for Security Chaos Engineering include security control validation and incident response.

Analogy: Are your mini potties *actually* accessible? Does your kid *actually* use them?

8/

Once you’ve implemented SCE, executing your experiments on a continuous basis will give you confidence in your security posture.

Analogy: The potty training doesn’t stop after 1 intensive week. You need to keep supporting them so they use the potty forever.

9/

You're welcome!