Let’s Play Poker: Effort and Software Security Risk Estimation in Software Engineering Laurie Williams 1 Picture from

Slides:



Advertisements
Similar presentations
A GUIDE TO CREATING QUALITY ONLINE LEARNING DOING DISTANCE EDUCATION WELL.
Advertisements

A technique for agile estimation Francy Rodríguez Javier Diez.
Reduce Security Risk in Your Development
The Road Not Often Taken … Alternate career paths for senior technical communicators George F. Hayhoe Tri-Doc 2005 Conference 8 April 2005.
Ranking of security controlling strategies driven by quantitative threat analysis. Tavolo 2: "Big data security evaluation" UNIFI-CNR Nicola Nostro, Andrea.
Individual Motivation Creating awareness that facilitates leading and managing people R. J. Monson, PhD.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Producer Risk Assessment in Plant Biosecurity Management.
 DB&A, Knowledge Management Within and Across Projects June 15, 2012 INNOVATION for a better world.
1 By the name of the god Risk management Dr. Lo ’ ai Tawalbeh DONE BY: AMNA ISMAIL RASHAN.
MM463 – Major Project. What we’ll cover  Brainstorming  SWOT analysis  Good/better/best scenarios.
The Role of Software Engineering Brief overview of relationship of SE to managing DSD risks 1.
By: Ashwin Vignesh Madhu
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
UbD backwards Mapping Resources. What is Curriculum Development? Curriculum development is the allocation of time and resources to making a plan for teaching.
Engineering Secure Software. Why do we study risk?  Many outcomes are possible, not all are probable  Enumeration  Prioritization  Discussion.
1 Agile Estimating and Planning October, 2013 Technion, Israel Prof. Fabio Kon University of Sao Paulo, Brazil
Agile Estimating & Planning Kane Mar Certified Scrum Coach and Trainer.
1 Security Risk Management Liping Cai 02/01/2006.
Project Risk and Cost Management. IS the future certain? The future is uncertain, but it is certain that there are two questions will be asked about our.
Discussing “Risk Analysis in Software Design” 1 FEB Joe Combs.
WMD & Emergency Planning Steps Session 12. Emergency Planning Steps Vulnerability Assessment Mitigation Efforts Emergency Response Planning Recovery.
1 Oppliger: Ch. 15 Risk Management. 2 Outline Introduction Formal risk analysis Alternative risk analysis approaches/technologies –Security scanning –Intrusion.
Security Risk Management
Risk Analysis in Software Design Author: Verdon, D. and McGraw, G. Presenter: Chris Hundersmarck.
Lecture 32 Risk Management (Cont’d)
Unit Portfolio Presentation Linda Hill & Jonna Wallis
Introduction to Risk Analysis in Healthcare Farrokh Alemi Ph.D. Professor of Health Administration and Policy College of Health and Human Services, George.
1 Chapter 5 Project management. 2 Project management : Is Organizing, planning and scheduling software projects.
Proposed Supply Chain Risk Management Process Flow Supply Chain Risk Leadership Council 20 April 2009 DRAFT.
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
©Ian Sommerville 2000 Slide 1 Project management l Organising, planning and scheduling software projects l Objectives To introduce software project management.
CSCE 522 Secure Software Development Best Practices.
Dogs. Shiba Inu Shiba Inu dog Golden Retriever.
Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.
Facilitating Collaborative Decision Making Anne Wright.
CSCE 201 Secure Software Development Best Practices.
Protection Poker James Walden Northern Kentucky University.
Recall The Team Skills 1. Analyzing the Problem (with 5 steps) 2. Understanding User and Stakeholder Needs 3. Defining the System A Use Case Primer Organizing.
University of Sunderland CIFM02 Unit 5 COMM02 Project Hazard Management and Contingency Planning Unit 5.
Session 1.31 RISK BASED AUDITING AN OVERVIEW BY R T I JAIPUR.
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
New ELICIT Software Platform Capabilities and Campaign 13 th ICCRTS, I-079, June 2008 Mary Ruddy Mark Nissen
Assessing Current Network Concerns Lesson 5. The Assessment Two important elements you will need to determine in order to produce a valuable assessment.
By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.
CSE Senior Design II Scrum Review/Discussion Instructor: Mike O’Dell.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Project management. Software project management ■It is the discipline of planning, organizing and managing resources to bring about the successful completion.
Informed Traveler Program and Applications Agile / Scrum Overview Jerry Inberg.
Planning 2: Estimation Mechanics Emerson Murphy-Hill Creative Commons Attribution 4.0 License. Material Produced by NCSU Software Engineering Faculty.
Risk Assessment: A Practical Guide to Assessing Operational Risk
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
Managing Project Risk – A simplified approach Presented by : Damian Leonard.
Risk management «Once we know our weaknesses, they cease to do us any harm.» G.C. Lichtenberg.
CSCE 548 Secure Software Development Risk-Based Security Testing
Socializing Attack/Defense Trees to Prevent Misuse
Introduction to Entrepreneurship, Project Management and Teaching
OSG Computer Security Plans
Engineering Secure Software
Risk Assessment = Risky Business
TERRORIST PROTECTION PLANNING USING A RELATIVE RISK REDUCTION APPROACH
Security Risk Assessment
Information security planning
Security Risk Assessment
Information Security Risks; All-in-One Terminology
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
ONAP Risk Assessment – Preparation Material - Overview of the Process - Terminology - Assumptions
Presentation transcript:

Let’s Play Poker: Effort and Software Security Risk Estimation in Software Engineering Laurie Williams 1 Picture from

Another vote for… “Everything should be made as simple as possible, but not simpler.” --Albert Einstein G/ ~Albert-Einstein-Posters.jpg

Estimation Pictures from and game.jpg How many engineers? How long? What is the security risk? Planning Poker Protection Poker

Effort Estimation: Planning Poker Pictures from How many engineers? How long?

Historical Effort Estimation 5 Pictures from and eel_1.png and and Gut feel often based on: Disaggregation Analogy Expert opinion

Coming up with the plan 6 Desired Feature s 30 story points 6 iterations 5 story points/ iteration June 10

Estimating “dog points” Estimate each of the dogs below in dog points, assigning each dog a minimum of 1 dog point and a maximum of 10 dog points A dog point represents the height of a dog at the shoulder –Labrador retriever –Terrier –Great Dane –Poodle –Dachshund –German shepherd –St. Bernard –Bulldog 7

What if? Estimate each of the dogs below in dog points, assigning each dog a minimum of 1 dog point and a maximum of 100 dog points A dog point represents the height of a dog at the shoulder –Labrador retriever –Terrier –Great Dane –Poodle –Dachshund –German shepherd –St. Bernard –Bulldog 8 More or less accurate? Harder or easier? More or less time consuming?

Estimating story points Estimate stories relative to each other –Twice as big –Half as big –Almost but not quite as big –A little bit bigger Only values: –0, 1, 2, 3, 5, 8, 13, 20, 40, Near term iteration “stories” A few iterations away “epic”

Vote based on: Disaggregation Analogy Expert opinion Diversity of opinion is essential!

Not working as fast as planned? 11 Desired Features 30 story points 6 iterations 5 story points iteration June 10 3 story points iteration 10 iterations July 8

(Subjective) Results of Planning Poker Explicit result (<20%): –Effort Estimate Side effects/implicit results (80%+): –Greater understanding of requirement –Expectation setting –Implementation hints –High level design/architecture discussion –Ownership of estimate

Security Risk Estimation: Protection Poker and What is the security risk?

Software Security Risk Assessment via Protection Poker

Computing Security Risk Exposure Traditional Risk Exposure probability of occurrence Ximpact of loss NIST Security Risk Exposure likelihood of threat- source exercising vulnerability Ximpact of adverse event on organization difficulty enumeration of adversary types motivation of adversaries Proposed Security Risk Exposure ease of attackXvalue of asset -To organization -To adversary Value pointsEase points

Protection Poker Overview Calibrate value of “assets” Calibrate ease of attack for requirements Compute security risk (value, ease) of each requirement Security risk ranking and discussion “Diversity of ideas is healthy, and it lends a creativity and drive to the security field that we must take advantage of.” -- Gary McGraw Picture from:

Informal discussions of: Threat models Misuse cases Diversity of devious, attacker thinking is essential!

Memory Jogger

Sum of asset value (e.g. one 20 and one 40) Security Risk Assessment Requirement Ease PointsValue PointsSecurity RiskRanking Req Req Req Req Req Req Req

Academic Trial 50 students in undergraduate software engineering course 1. Security cannot be obtained through obscurity alone. 2. Never trust your input. 3. Know your system. 4. Know common exploits. 5. Know how to test for vulnerabilities.

Industrial Trial Active participation by all on-site team members Requirements revised for added security fortification Cross site scripting vulnerability found on the spot Expressed need for education on cross site scripting Expressed need for governance to prioritize security fortification Increase awareness of necessary security testing

(Subjective) Results of Protection Poker Explicit result (<20%): –Relative security risk assessment Side effects/implicit results (80%+): –Greater awareness understanding of security implications of requirement Collaborative threat modeling Collaborative misuse case development –Requirements changed to reduce risk –Allocation of time to build security into new functionality “delivered” at end of iteration (appropriate to relative risk) –Knowledge sharing and transfer of security information

celebrities jpg

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.