An information security assessment is the process of determining how effectively an entity being assessed (e.g., host, system, network, procedure, person—known as the assessment object) meets specific security objectives. Three types of assessment methods can be used to accomplish this—testing, examination, and interviewing.
– Testing is the process of exercising one or more assessment objects under specified conditions to compare actual and expected behaviors.
– Examination is the process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence.
– Interviewing is the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or identify the location of evidence.
Assessment results are used to support the determination of security control effectiveness over time.
Source: NIST SP 800-115
Security Chaos Engineering
According to TechHQ, Ali Basiri, Netflix’s Senior Software Development Lead, is a central founder of the Chaos Engineering methodology. Aaron Rinehart, an O’Reilly author, defines Security Chaos Engineering in Security Chaos Engineering: A new paradigm for cybersecurity as follows:
Security Chaos Engineering is the discipline of instrumentation, identification, and remediation of failure within security controls through proactive experimentation to build confidence in the system’s ability to defend against malicious conditions in production.
Chaos experiment is one form of disruptive testing (one of the typical security assessment methods) to determine the security control effectiveness over time. The experiment against production systems renders chaos (complex and unknown situations); still, it is managed through the scientific method to evaluate the current state and explore and handle the risk of unknown unknowns.
(Security) Chaos Experiments are foundationally rooted in the scientific method, in that they seek not to validate what is already known to be true or already known to be false, rather they are focused on deriving new insights about the current state.
Put simply, chaos engineering comprises causing deliberate faults to distributed software systems in production to test resilience in the face of turbulent or unexpected conditions. On outing this concept to the coding community, Netflix reports it was met with both “incredulity and skepticism”.
Continuous and Holistic View of Security
Security is a collection of ongoing activities and resources that support business continuity or continuous delivery of products and services and protect information assets, including but not limited to data, computer systems, operating systems, application software, networks, data centers, people, business processes, etc., across an asset’s life cycle.
Security Chaos Engineering provides a proactive disruptive perspective of continuous testing against software systems to security practitioners, similar to the full-interruption testing against a limited scope of a business continuity program. It’s a bold initiative that needs good justification for costs and benefits and requires thoughtful planning and implementation.
- How Netflix pioneered Chaos Engineering
- Security Chaos Engineering: A new paradigm for cybersecurity
- Securing chaos: How Security Chaos Engineering tools can improve design and response
- Security and chaos engineering
- Some Thoughts on CISSP
- On Complexity (Cynefin Framework & Stacey Matrix): Why Your Software Project Needs Scrum