Security incidents may have several origins. However, many times they are caused due to components that are supposed to be correctly configured or deployed. That is, traditional methods may not detect those security assumptions, and new alternatives need to be tried. Security Chaos Engineering (SCE) represents a new way to detect such failing components in order to protect assets under cyber risk scenarios. To demonstrate the application of SCE in security, this degree project presents, in the first place, an introduction to the fundamentals of Chaos Engineering (CE) as SCE inherits its principles and methodology. This is done to understand its application in engineering, a series of analyses of the proposed frameworks and tools for the implementation of CE is provided, and its functionality is tested with four experiments. In the second place, this degree project proposes ChaosXploit, a security chaos engineering framework based on attack trees, which leverages the CE methodology along with a knowledge database composed of attack trees to detect and exploit vulnerabilities in different targets as part of an offensive security exercise. Once the theoretical and conceptual components of SCE are detailed and the proposal for ChaosXploit is explained, a set of experiments are conducted to validate the feasibility of ChaosXploit to validate the security of cloud managed services, i.e. Amazon buckets, which may be prone to misconfigurations.
