Security Chaos Engineering
Although we've had mostly new blips in this edition of the Radar, we think it's worth continuing to call out the usefulness of Security Chaos Engineering. We've moved it to Trial because the teams using this technique are confident that the security policies they have in place are robust enough to handle common security failure modes. Still, proceed with caution when using this technique—we don't want our teams to become desensitized to these issues.
We’ve previously talked about the technique of Chaos Engineering in the Radar and the Simian Army suite of tools from Netflix that we’ve used to run experiments to test the resilience of production infrastructure. Security Chaos Engineering broadens the scope of this technique to the realm of security. We deliberately introduce false positives into production networks and other infrastructure — build-time dependencies, for example — to check whether procedures in place are capable of identifying security failures under controlled conditions. Although useful, this technique should be used with care to avoid desensitizing teams to security problems.