Security Chaos Engineering
Sustaining Resilience in Software and Systems
Kelly Shortridge and Aaron Rinehart on treating security as a property of complex adaptive systems: instead of preventing failure, you continuously simulate it, and design the organization to learn from each result.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Kelly Shortridge,Aaron Rinehart
- Published
- 2023
- Publisher
- O'Reilly Media
- Pages
- 423
- Language
- English
Read this if
Security architects, SREs, and platform engineers ready to abandon the prevention-first frame. Particularly strong for organizations that already practice chaos engineering for reliability and want to extend the discipline to security; the book is the bridge.
Skip this if
Practitioners working in heavily regulated environments where intentional production faults are not legal, or smaller organizations without the operational maturity to run game days safely. Also a poor first security book: it assumes you know what threat models, blast radius, and feedback loops are.
Key takeaways
- Security and reliability share the same root engineering problem: how to keep complex systems within tolerable bounds when the failure surface is unbounded.
- Decision trees and effort-vs-impact analysis are operationalizable artifacts, not just blog material; the book teaches you to actually use them.
- Continuous experimentation is more honest than tabletop exercises: production tells you what is true, runbooks tell you what someone wished were true.
Notes
Pair with Building Secure and Reliable Systems (Adkins et al.) for the Google take on the same problem and with Site Reliability Engineering for the chaos-engineering ancestry. Shortridge's writing at kellyshortridge.com and her D.I.E. (Distributed, Immutable, Ephemeral) talks are the ongoing companion. Aaron Rinehart's earlier work at UnitedHealth Group is the operational origin story for the discipline.
What to read before
What to read before Security Chaos Engineering →Advanced · 2020
Building Secure and Reliable Systems
Google's site-reliability and security teams jointly write down what it actually takes to build systems that are both safe and dependable, from threat models and design reviews to rollback culture and crisis response.
Advanced · 2020
Security Engineering
Ross Anderson's comprehensive textbook on the design of secure systems, covering protocols, access control, side channels, economics of security, and policy.
Intermediate · 2021
Designing Secure Software
Loren Kohnfelder, the original PKI author, on how to weave security thinking through requirements, design, implementation and operations rather than bolt it on at the end.
What to read next
What to read after Security Chaos Engineering →Advanced · 2020
Building Secure and Reliable Systems
Google's site-reliability and security teams jointly write down what it actually takes to build systems that are both safe and dependable, from threat models and design reviews to rollback culture and crisis response.
Advanced · 2020
Security Engineering
Ross Anderson's comprehensive textbook on the design of secure systems, covering protocols, access control, side channels, economics of security, and policy.
Advanced · 2024
Evasive Malware
Kyle Cucci on the anti-analysis arms race: sandbox detection, anti-debug, anti-VM, packing, and the analyst-side tooling and tradecraft that get past those layers.
Explore similar books
Alternatives to Security Chaos Engineering →Advanced · 2020
Building Secure and Reliable Systems
Google's site-reliability and security teams jointly write down what it actually takes to build systems that are both safe and dependable, from threat models and design reviews to rollback culture and crisis response.
Advanced · 2020
Security Engineering
Ross Anderson's comprehensive textbook on the design of secure systems, covering protocols, access control, side channels, economics of security, and policy.
Advanced · 2024
Evasive Malware
Kyle Cucci on the anti-analysis arms race: sandbox detection, anti-debug, anti-VM, packing, and the analyst-side tooling and tradecraft that get past those layers.