Ringkasan & Hubungan ke Vault

Security Chaos Engineering = sengaja inject failure untuk menguji resilience sistem keamanan. Berbeda dari pentest yang fokus exploit, chaos engineering fokus: “when something breaks, does our security hold?” Melengkapi purple-team-osi-killchain dengan dimensi resilience testing.

Domain: DevOps / Security Engineering Tags: chaos-engineering resilience antifragile security-testing sre

1. Principles

1.1 Steady State Hypothesis

# Define: "what does normal look like?"
STEADY_STATE = {
    "auth_success_rate": 0.99,
    "error_5xx_rate": 0.001,
    "p99_latency_ms": 200,
    "cpu_usage_pct": 0.7,
}
 
def run_experiment():
    inject_failure("block_auth_service_30s")
    measure("auth_success_rate")  # Should return to 0.99 within 30s
    measure("error_5xx_rate")     # Should not exceed 0.01
    measure("p99_latency_ms")     # Should return to baseline

1.2 Security Chaos Experiments

ExperimentInjectionExpected Behavior
WAF FailureDisable WAFBackend auth should block attacks
Cert ExpiryExpire TLS certProper error, no fallback to HTTP
Log DropStop log shippingAlert, buffer, no crash
Auth DownKill auth serviceCached auth, graceful degradation
DNS FailBlock DNSCached resolution, no data leak
Rate Limit OffRemove rate limiterDDoS: backend should still defend

📚 Referensi

  1. “Chaos Engineering” — Rosenthal, Jones
  2. Principles of Chaos: https://principlesofchaos.org/
  3. Security Chaos Engineering: https://securitychaos.com/