Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protection Poker James Walden Northern Kentucky University.

Published byChristian Summers Modified over 9 years ago

Similar presentations

Presentation on theme: "Protection Poker James Walden Northern Kentucky University."— Presentation transcript:

1 Protection Poker James Walden Northern Kentucky University

2 CSC 666: Secure Software Engineering What is Protection Poker?  Collaborative, informal risk analysis technique based on planning poker.  Evaluate requirements  Ease of attack.  Impact of attack.  Risk = Ease * Impact

3 CSC 666: Secure Software Engineering Software Security Risk Assessment via Protection Poker

4 CSC 666: Secure Software Engineering Players 1.Programmers 2.Testers 3.Customer representatives 4.Security team representative 5.Specialists (UI, DB, etc.)

5 CSC 666: Secure Software Engineering Procedure 1.Calibrate value of system assets. 2.Calibrate ease of attack for requirements. 3.Compute security risk (value, ease) for each requirement. 4.Security risk ranking and discussion.

6 CSC 666: Secure Software Engineering Calibrate Value of Assets 1.Examine assets listed in Table 1. 2.Identify least valuable asset in Table 1.  Discuss.  Assign a value of 1 in Table 1 to asset. 3.Identify most valuable asset in Table 1.  Use cards to achieve consensus about how much more valuable asset is.  Assign consensus value in Table 1 to asset.

7 CSC 666: Secure Software Engineering Calibrate Ease of Attack 1.Identify easiest requirement to attack.  Find one that modify data, allow reads of sensitive data, have weak auth, etc.  Use cards to find consensus value. 2.Identify hardest requirement to attack.  Find one that doesn’t modify data, allow reads of sensitive data, has strong auth, etc.  Use cards to find consensus value. 3.Record ease points in Table 3.

8 CSC 666: Secure Software Engineering Compute Security Risk For each requirement 1.Identify relevant assets. 2.If values have already been assigned, document assets with values in Table 2. 3.If values have not been assigned, use cards to achieve consensus value. Record value in Tables 1 and 2. 4.Record max value in Table 2. For each requirement 1.Use cards to achieve consensus on ease of attack. Record value in Table 3. 2.Compute risk by multiplying value by ease. Record the value for risk in Table 3.

9 CSC 666: Secure Software Engineering Security Risk Ranking 1.Rank requirements by risk from 1 to 4. 2.Place value in security risk ranking Table 3. 3.If any rankings are a surprise, discuss and iterate with cards if necessary.

10 CSC 666: Secure Software Engineering Why does it work? 1.Brings together multiple expert opinions with different perspectives on project. 2.Ratings focus on attack resistance analysis. 3.Discussions enable ambiguity analysis.

11 References 1.Laurie Williams, Michael Gegick and Andy Meneely. Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer. Engineering Secure Software and Systems. 2009 2.Laurie Williams. Protection Poker Tutorial. http://collaboration.csc.ncsu.edu/laurie/S ecurity/ProtectionPoker/, 2008. http://collaboration.csc.ncsu.edu/laurie/S ecurity/ProtectionPoker/

Download ppt "Protection Poker James Walden Northern Kentucky University."

Similar presentations

STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)

STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)
Systems Development Environment

Systems Development Environment
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Risk Analysis James Walden Northern Kentucky University.

Risk Analysis James Walden Northern Kentucky University.
Understand Database Security Concepts

Understand Database Security Concepts
Authentication James Walden Northern Kentucky University.

Authentication James Walden Northern Kentucky University.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Software Engineering with Dr. Daniel P. Berger and Dr. Philip E. Vandermeer II.

Software Engineering with Dr. Daniel P. Berger and Dr. Philip E. Vandermeer II.
Quality is about testing early and testing often Joe Apuzzo, Ngozi Nwana, Sweety Varghese Student/Faculty Research Day CSIS Pace University May 6th, 2005.

Quality is about testing early and testing often Joe Apuzzo, Ngozi Nwana, Sweety Varghese Student/Faculty Research Day CSIS Pace University May 6th, 2005.
Looking at Student Work. Engage in a structured discussion focused on student learning Develop a shared understanding of what constitutes evidence of.

Looking at Student Work. Engage in a structured discussion focused on student learning Develop a shared understanding of what constitutes evidence of.
THE USE OF TECHNOLOGY Training Innovation Video Analysis of Performance Data Gathering and Analysis.

THE USE OF TECHNOLOGY Training Innovation Video Analysis of Performance Data Gathering and Analysis.
Risk Management.

Risk Management.
Risk Management Vs Risk avoidance William Gillette.

Risk Management Vs Risk avoidance William Gillette.
Bringing Softtek’s Software Testing Organization from Good to World- Class Software Testing Organization Proposal.

Bringing Softtek’s Software Testing Organization from Good to World- Class Software Testing Organization Proposal.
Engineering Secure Software. Why do we study risk?  Many outcomes are possible, not all are probable  Enumeration  Prioritization  Discussion.

Engineering Secure Software. Why do we study risk?  Many outcomes are possible, not all are probable  Enumeration  Prioritization  Discussion.
Let’s Play Poker: Effort and Software Security Risk Estimation in Software Engineering Laurie Williams 1 Picture from

Let’s Play Poker: Effort and Software Security Risk Estimation in Software Engineering Laurie Williams 1 Picture from
Taylor Trayner. Definition  Set of business processes developed in an organization to create, store, transfer, and apply knowledge  Knowledge is a firm.

Taylor Trayner. Definition  Set of business processes developed in an organization to create, store, transfer, and apply knowledge  Knowledge is a firm.
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
Models for Estimating Risk and Optimizing the Return on Security Investment.

Models for Estimating Risk and Optimizing the Return on Security Investment.
WHAT IS TECHNOLOGY INTEGRATION ? Technology integration is the use of technology resources -- computers, digital cameras, CD- ROMs, software applications,

WHAT IS TECHNOLOGY INTEGRATION ? Technology integration is the use of technology resources -- computers, digital cameras, CD- ROMs, software applications,

Similar presentations

Ads by Google