Dev Teams need a Chaos Monkey for Application Security

With the semi-recent security breach on LinkedIn of emails and passwords I was pleasantly surprised to find when I logged into LinkedIn today that I was blocked and forced to confirm my identity, that I had just signed in "from an unfamiliar location (Rwanda)".

I had actually logged in from Rwanda (so they got it right) and this is the level of security I should expect from a publicly traded social network, but I was surprised nonetheless.


Surely there was meeting among LinkedIn PM's and engineers to decide to implement this security feature but not one that might have prevented the email/password leak in June 2012. It reminded me of the constant trade-offs faced when working on a software project, especially when it comes to security. Often times, making sure that your application is 100% secure falls way below making sure that your application is actually running, or that your flagship customer gets the features they want, or that your backups are working correctly, or that you patched the latest updates on your Amazon instances. Sometimes you just can't prepare for attacks because people are always looking for a backdoor or ways to get around it.

Security is a hard thing, especially with limited resources, and unless you are storing tons of personal information or handling sensitive credit card information I can't think of one startup team, founder or investor who would recommend you hire a person to focus on security before they would hire another full-stack contributor (although if they know a little bit about security that is definitely a plus.)

As more personal information moves online, it is becoming ever more important. Just as DevOps teams are now using Chaos Monkeys to expose holes in their cloud infrastructure there needs to be the implementation of some sort of security Chaos Monkey as well that tries to fuzz passwords, do SQL injections, exploit XSS vulnerabilities and check every other thing that could go wrong.

If every team had a Chaos Monkey for Security, the world *might* be a safer place.

Of course the developer community would need to give it a name, maybe based on those really smart crows all over YouTube. Maybe call it the Security Crow?

We already know we can't trust them.


From Hitchcock's "The Birds"

Comments !


Started writing one year ago, the day after heading out to travel around the world for a year without a cause.
Current Location: New York, New York

Mexico City, Mexico
Tokyo, Japan
Hanoi, Vietnam
Vientiane, Laos
Phuket, Thailand
Kathmandu, Nepal
Rajastan, India
Kerala, India
Mumbai, India
Freetown, Sierra Leone
Koidu, Sierra Leone
Mombasa, Kenya
Nairobi, Kenya
Kigali, Rwanda
Rwinkwavu, Rwanda
Boston, MA

Latest Posts

Port Forward an old Airport Express

If Developers Took Steroids

We Need Elon Musk

Crossword Scraper

Git Conflicts in your Binary Files

Japanese Sidewalk Interfaces

Introducing Kickbacker

Real Life: Google Glass Done Wrong

Tux Trashcans

How Angry are your Developers?

A 500 Startups Model for the Art World

Unsubscribe from Black Friday/Cyber Monday

Copyrighting Art into Obscurity

Crack WiFi Passwords with aircrack

Using Sandy as an Excuse to Email Spam Customers