Protection Poker James Walden Northern Kentucky University.

Slides:

Advertisements

Similar presentations

STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)

Advertisements

Systems Development Environment

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

Risk Analysis James Walden Northern Kentucky University.

Understand Database Security Concepts

Authentication James Walden Northern Kentucky University.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

Software Engineering with Dr. Daniel P. Berger and Dr. Philip E. Vandermeer II.

Quality is about testing early and testing often Joe Apuzzo, Ngozi Nwana, Sweety Varghese Student/Faculty Research Day CSIS Pace University May 6th, 2005.

Looking at Student Work. Engage in a structured discussion focused on student learning Develop a shared understanding of what constitutes evidence of.

THE USE OF TECHNOLOGY Training Innovation Video Analysis of Performance Data Gathering and Analysis.

Risk Management.

Risk Management Vs Risk avoidance William Gillette.

Bringing Softtek’s Software Testing Organization from Good to World- Class Software Testing Organization Proposal.

Engineering Secure Software. Why do we study risk?  Many outcomes are possible, not all are probable  Enumeration  Prioritization  Discussion.

Let’s Play Poker: Effort and Software Security Risk Estimation in Software Engineering Laurie Williams 1 Picture from

Taylor Trayner. Definition  Set of business processes developed in an organization to create, store, transfer, and apply knowledge  Knowledge is a firm.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Models for Estimating Risk and Optimizing the Return on Security Investment.

WHAT IS TECHNOLOGY INTEGRATION ? Technology integration is the use of technology resources -- computers, digital cameras, CD- ROMs, software applications,

CSC 386 – Computer Security Scott Heggen. Agenda Security Management.

Information Systems Analysis and Design

Community Assessment Training 3- Click to edit Master title style Community Assessment Training 3-1.

Literacy Partner’s Meeting Wednesday, October 22 nd Moderated Marking: The What, The Why, The How.

Decision Making Matrix

Requirements Engineering CSE-305 Requirements Engineering Process Tasks Lecture-5.

 CS 5380 Software Engineering Chapter 8 Testing.

Dr. Benjamin Khoo New York Institute of Technology School of Management.

Introduction  Easy English, Inc. Chinese based company specializing in Language translation  Background Translations are currently done manually by.

Systems Design Approaches The Waterfall vs. Iterative Methodologies.

Requirements Engineering Requirements Elicitation Process Lecture-9.

Psychological Factors u Attention - Focusing on specific behaviors to observe. u Sensation - Using senses to focus u Perception - Meaning of information.

Lecture 13 Page 1 CS 236 Online Secure Programming CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Lecture 7 Risk Analysis CSCI – 3350 Software Engineering II Fall 2014 Bill Pine.

Modeling Preferences of a Group Member Farrokh Alemi, Ph.D.

Fundamentals of Information Systems, Second Edition 1 Systems Development.

Code Reviews James Walden Northern Kentucky University.

1 Challenges for Protecting the Privacy of Health Information: Required Certification Can Leave Common Vulnerabilities Undetected Ben Smith, Andrew Austin,

February 15, 2004 Software Risk Management Copyright © , Dennis J. Frailey, All Rights Reserved Simple Steps for Effective Software Risk Management.

Foundations of Information Systems in Business. System ® System  A system is an interrelated set of business procedures used within one business unit.

Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.

©2006 Sequentus LLC 1 Improving Test Groups a Dime at a Time Bob O’Brien Sequentus April 20, 2006.

IT Security CS5493(74293). IT Security Q: Why do you need security? A: To protect assets.

Introduction to ITIL and ITIS. CONFIDENTIAL Agenda ITIL Introduction  What is ITIL?  ITIL History  ITIL Phases  ITIL Certification Introduction to.

IST 220 – Intro to Databases Database Design I. DB Design – Sports League The league needs to keep track of Teams Players Coaches Sponsors How many tables.

S19: Documentation of fieldwork. Session Objectives ♂ In the last session, we have discussed the standards of documentation and the standard files to.

OCTAVE By Matt White. OCTAVE  OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a risk-based strategic assessment and planning.

INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.

ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,

Principles of Information Security, Fourth Edition Risk Management Ch4 Part I.

Planning 2: Estimation Mechanics Emerson Murphy-Hill Creative Commons Attribution 4.0 License. Material Produced by NCSU Software Engineering Faculty.

Information Systems Development. Outline  Information System  Systems Development Project  Systems Development Life Cycle.

Security Development Lifecycle (SDL) Overview

Tool Support for Testing

CPA Gilberto Rivera, VP Compliance and Operational Risk

Software Quality Control and Quality Assurance: Introduction

VIRTUALIZATION & CLOUD COMPUTING

CIS 349 Competitive Success/snaptutorial.com

BIS 221 RANK Education Your Life--

CIS 349 Education for Service/snaptutorial.com

BIS 221 RANK Education for Service-- bis221rank.com.

CIS 349 Teaching Effectively-- snaptutorial.com

Reporting personal data breaches to the ICO

بعض النقاط التي تؤخذ في الحسبان عند تقييم الاستثمارات الزراعية

Succession/Replacement Planning

Extreme Programming Extreme programming is "a lightweight methodology for small-to-medium-sized teams developing software in the face of vague or rapidly.

BIS 221 Great Wisdom/tutorialrank.com. BIS 221 All Assignments For more course tutorials visit BIS 221 Week 2 Assignment Business.

Security Risk Assessment

Security Risk Assessment

BIS 221 RANK best future education / bis221rank.com.

Presentation transcript:

Protection Poker James Walden Northern Kentucky University

CSC 666: Secure Software Engineering What is Protection Poker?  Collaborative, informal risk analysis technique based on planning poker.  Evaluate requirements  Ease of attack.  Impact of attack.  Risk = Ease * Impact

CSC 666: Secure Software Engineering Software Security Risk Assessment via Protection Poker

CSC 666: Secure Software Engineering Players 1.Programmers 2.Testers 3.Customer representatives 4.Security team representative 5.Specialists (UI, DB, etc.)

CSC 666: Secure Software Engineering Procedure 1.Calibrate value of system assets. 2.Calibrate ease of attack for requirements. 3.Compute security risk (value, ease) for each requirement. 4.Security risk ranking and discussion.

CSC 666: Secure Software Engineering Calibrate Value of Assets 1.Examine assets listed in Table 1. 2.Identify least valuable asset in Table 1.  Discuss.  Assign a value of 1 in Table 1 to asset. 3.Identify most valuable asset in Table 1.  Use cards to achieve consensus about how much more valuable asset is.  Assign consensus value in Table 1 to asset.

CSC 666: Secure Software Engineering Calibrate Ease of Attack 1.Identify easiest requirement to attack.  Find one that modify data, allow reads of sensitive data, have weak auth, etc.  Use cards to find consensus value. 2.Identify hardest requirement to attack.  Find one that doesn’t modify data, allow reads of sensitive data, has strong auth, etc.  Use cards to find consensus value. 3.Record ease points in Table 3.

CSC 666: Secure Software Engineering Compute Security Risk For each requirement 1.Identify relevant assets. 2.If values have already been assigned, document assets with values in Table 2. 3.If values have not been assigned, use cards to achieve consensus value. Record value in Tables 1 and 2. 4.Record max value in Table 2. For each requirement 1.Use cards to achieve consensus on ease of attack. Record value in Table 3. 2.Compute risk by multiplying value by ease. Record the value for risk in Table 3.

CSC 666: Secure Software Engineering Security Risk Ranking 1.Rank requirements by risk from 1 to 4. 2.Place value in security risk ranking Table 3. 3.If any rankings are a surprise, discuss and iterate with cards if necessary.

CSC 666: Secure Software Engineering Why does it work? 1.Brings together multiple expert opinions with different perspectives on project. 2.Ratings focus on attack resistance analysis. 3.Discussions enable ambiguity analysis.

References 1.Laurie Williams, Michael Gegick and Andy Meneely. Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer. Engineering Secure Software and Systems Laurie Williams. Protection Poker Tutorial. ecurity/ProtectionPoker/, ecurity/ProtectionPoker/