We are super excited to announce our first Open Source project with SecOps-Chaos 🎉 secops-chaos is a Chaos Engineering tool focused on uncovering runtime security gaps that are making your environment dangerously insecure right now.
Over the years, chaos engineering has become an essential part of preventing unnecessary outages for DevOps teams, but SecOps teams haven’t had experiments specifically designed to uncover security gaps and prevent data breaches. We have designed SecOps-Chaos specifically to help you discover common security gaps [based on OWASP AND MITRE] by experimentation in Kubernetes and Cloud Native stacks, and today we are opening it up to the world!
From the years of performance and availability testing in the DevOps world, we now have a better understanding of performance and availability failures look like for modern apps. But what do security failures look like? Is it an unpatched CVE in a source code library or a container OS package? Is it an expired access token not properly checked at the API authorization layer? Is it a privileged container lurking in a Kubernetes cluster having access to underlying host resources? Well - it is all of these examples, not isolated, but connected and compounded by the hundreds and thousands of components that define today’s modern apps across multiple layers, i.e., across APIs, services, containers, identities, and data flows. Most testing barely scratches the surface on how all these different layers behave in the event of security failures.
Today’s security testing and scanning approaches have hit a wall and it’s time to break through!
Most companies are not set up to have an army of pen testers and red teams in-house. This means that business critical requirements are now getting outsourced and while security consultants are great at their art, they are often limited by the time and exposure they have to the complex architecture that powers modern apps. Especially when these apps are changing constantly, keeping up with new gap scenarios is unsustainable. And inherently, this entire approach results in reactive firefighting on specific issues identified by an external party.
Modern security teams usually know about unpatched vulnerabilities in their internal code and containers using scanners, but miss out on the valuable runtime context of whether they are actually exploitable. This leaves security teams with just a long list of CVEs to be patched with no measurable way of prioritizing them or assessing what is the improvement to their overall attack surface by patching them.
Most security teams are drowning in the noise of 1000s alerts and notifications from the static scans, CVE reports, pen testing reports, you know how it is!
We strongly believe that adopting chaos engineering practices internally across Dev, Sec, and Ops teams becomes a game changer in reducing this noise as teams shift towards proactively securing cloud native apps. Security teams can now take a more structured approach towards building up the threat models for their overall cloud native stack followed by actively trying to apply the model using chaos experiments. Frameworks like MITRE for Kubernetes and OWASP Top 10 Risks for APIs provide a great starting point!
SecOps-Chaos lets you create and configure security experiments as code to run against Kubernetes clusters and applications. Dev, Sec, and Ops teams can create experiments (as code!) to actively apply the threat model vectors. Just as an example, one could try to actively deploy a privileged container in their Kubernetes cluster and conduct various privilege escalation experiments like mounting the host’s /proc filesystem volume within the container, followed by adding capabilities to the container that could allow an attacker to kill host processes or run new malicious ones.
As DevSecOps teams learn what vulnerabilities are detected and how they fit in the overall threat frameworks, they can take necessary actions needed to have the right protections in place that shield the cluster from such attacks.
Having a security experiments library internal to an organization has several benefits. It helps teams continuously add and adapt behaviors specific to their threat models as they change with the pace of application development. It helps teams measure how their alerting systems as well as defenses are performing in the face of constant change, vs having to rely on external vendors to provide infrequent insights into security issues. And finally, it supports the DevSecOps culture of incorporating security as an active pillar across the software lifecycle, where evolving threat behaviors in production environments could be applied within development and staging environments via experiments to test applications, encouraging teams to apply the right protections from the beginning and be secure by default.
In the world of security, attacks are often painted as the more exhilarating piece of the cat and mouse game vs defenses. Be it the clever heists from movies like Ocean’s 11 or the more real-world series of thefts from the British Museum, there is a certain thrill to demystifying how the attack itself was carried out. While we enjoy a good mystery hunt, we think that attack techniques should be more open and accessible, going beyond mere documented frameworks and best practices.
By launching a new open-source security-focused experiment library as code (an experiment in itself!), we would like the security community to engage, actively participate in the thrill of breaking their own locks before attackers do, and share those tricks with everyone!
We have based our experiments on the MITRE and OWASP attack frameworks. Over time, we plan to add more experiments covering all of the attack categories within these frameworks and we invite you to join us! Red, blue, purple, or any team colors you align with, we’d love to hear from you and welcome you on our mission to secure the modern world!
Checkout SecOps-Chaos, star it ⭐, run experiments, and contribute to making security more open!