Risk
8/1/2012
01:16 PM
50%
50%

Netflix Wants You To Adopt Chaos Monkey

Netflix has made its own automated disaster testing service, Chaos Monkey, available as a free public download. Should you turn it loose on your own systems?

Netflix is a high-profile consumer service. When things go wrong, people tend to notice. So it might seem strange that the company tries to make things go wrong with its service on a regular basis.

That's indeed the goal of "Chaos Monkey," the automated software Netflix developed to test its infrastructure's mettle. In layman's terms, Chaos Money tries to break stuff. The theory behind this is to build a stronger platform and avoid the types of major, unexpected problems that tend to make IT's phones ring at 2 a.m. (Netflix configures the tool to run only during normal business hours; that way IT staff handle any related issues during the day instead of on nights and weekends.)

Now everyone can embrace the chaos: Netflix just made the source code publicly available as a free download. You'll first need to ask yourself if you've got the guts for it. Or, as Netflix put it in a blog post: "Do you think your applications can handle a troop of mischievous monkeys loose in your infrastructure?"

[ Security researcher Dan Kaminsky wants to address security by changing the fundamental way code is written. Read more at Tired Of Security Problems? Change Rules Of Writing Code. ]

If you're picturing the band of winged monkeys from "The Wizard of Oz" running amok, you're not far off--they've just been reengineered for the cloud. Chaos Monkey deliberately shut downs virtual machines (VMs) within Amazon's Auto-Scaling Groups (ASGs). (Though the software was written with Amazon Web Services in mind, Netflix said Chaos Monkey is flexible enough to work with other cloud platforms.)

By causing intentional failures on individual instances--Netflix generated more than 65,000 failures in the last year, according to the company--you can learn from those errors and their resolutions. Basic example: Is your application hardy enough to weather a failed VM, or could that single instance bring the curtains down on the whole show?

That type of no-holds-barred testing can help unearth and resolve unknown issues before they become major outages. Better yet, it can lead to stronger applications as they're being built, rather than trying to retrofit them after the fact. "By having that constant idea that something's going to break, [Netflix has] within their dev ops and engineering departments the mindset that they have to make sure that no single point can take down the entire site," said Jim MacLeod, product manager at the networking firm WildPackets, in an interview.

In Netflix's case, it makes sense to try to rise to Chaos Monkey's challenge--their bottom line depends upon their site running smoothly. "If you look at Netflix's business model, what really differentiates them isn't just streaming media--it's the fact there's something immediate and easy for users to get to, but that means they have to be fairly reliable," MacLeod said. "Reliability and uptime are things that are difficult to put in afterwards if you don't design it in, just like security."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Embedded SW Dev
50%
50%
Embedded SW Dev,
User Rank: Apprentice
8/2/2012 | 5:44:30 PM
re: Netflix Wants You To Adopt Chaos Monkey
Apparently someone let the Chaos Monkey loose. Today's Infoweek daily's link to this story lead to a story about the errant stock trading on Wednesday. Was that a hint that Knight Capital was testing the Chaos Monkey, or did the Chaos Monkey infect the mailing?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-2086
Published: 2015-02-26
Cross-site scripting (XSS) vulnerability in the live preview in the Panopoly Magic module before 7.x-1.17 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a pane title.

CVE-2015-2087
Published: 2015-02-26
Unrestricted file upload vulnerability in the Avatar Uploader module before 6.x-1.3 for Drupal allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via unspecified vectors.

CVE-2015-2088
Published: 2015-02-26
Cross-site scripting (XSS) vulnerability in unspecified administration pages in the Term Queue module before 6.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

CVE-2015-2089
Published: 2015-02-26
Multiple cross-site request forgery (CSRF) vulnerabilities in the CrossSlide jQuery (crossslide-jquery-plugin-for-wordpress) plugin 2.0.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings or conduct cross-site scripting (...

CVE-2015-2090
Published: 2015-02-26
SQL injection vulnerability in the ajax_survey function in settings.php in the WordPress Survey and Poll plugin 1.1.7 for Wordpress allows remote attackers to execute arbitrary SQL commands via the survey_id parameter in an ajax_survey action to wp-admin/admin-ajax.php.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.