SlideShare una empresa de Scribd logo

Protection Poker: An Agile Security Game

T
TechWell

Each time a new feature is added to a product, developers need to consider the security risk implications, find ways to securely implement the function, and develop tests to confirm that the risk is gone or significantly lowered. Laurie Williams shares a Wideband Delphi practice called Protection Poker she's employed as a collaborative, interactive, and informal agile structure for "misuse case" development and threat modeling. Laurie shares the case study results of a software development team at RedHat that used Protection Poker to identify security risks, find ways to mitigate those risks, and increase security knowledge throughout the team. In this session, Laurie leads an interactive Protection Poker exercise in which you and other participants analyze the security risk of sample new features and learn to collaboratively think like an attacker. Participants will discuss implementation and testing strategies for the sample features to discover first hand the opportunities and challenges a security focus brings to development.

TecnologíaEmpresariales
1 de 20
Descargar para leer sin conexión
          AT3 Concurrent Session  11/8/2012 10:15 AM                "Protection Poker: An Agile Security Game"       Presented by: Laurie Williams North Carolina State University                 Brought to you by:        340 Corporate Way, Suite 300, Orange Park, FL 32073  888‐268‐8770 ∙ 904‐278‐0524 ∙ sqeinfo@sqe.com ∙ www.sqe.com
Laurie Williams North Carolina State University A professor of computer science at North Carolina State University, Laurie Williams has been researching agile development methodologies and practices for thirteen years and software security for seven years. She has taught agile courses and coached industrial agile teams at a number of organizations in a variety of domains for the past five years. Laurie is the author of Pair Programming Illuminated; sixty refereed papers on agile software development, test-driven development, and pair programming; and thirty papers on software security. .  
Protection Poker: An Agile Security Game Laurie Williams williams@csc.ncsu.edu Picture from http://www.thevelvetstore.com 1 Another vote for… “Everything should be made as simple as possible, but not simpler.” --Albert Einstein http://imagecache2.allposters.com/images/pic/CMA G/956-037~Albert-Einstein-Posters.jpg 1
Estimation Planning Poker How many engineers? How long? What is the security risk? Protection Poker Pictures from http://www.doolwind.com , http://news.cnet.com and http://www.itsablackthang.com/images/Art-Sports/irving-sinclair-the-pokergame.jpg Effort Estimation: Planning Poker How many engineers? How long? Pictures from http://www.doolwind.com , http://www.legendsofamerica.com/photos-oldwest/Faro2-500.jpg 2
Coming up with the plan Desired Feature s 5 story points/ iteration 30 story points 6 iterations June 10 5 Estimating “dog points” • Estimate each of the dogs below in dog points, assigning each dog a minimum of 1 dog point and a maximum of 10 dog points • A dog point represents the height of a dog at the shoulder – – – – – – – – Labrador retriever Terrier Great Dane Poodle Dachshund German shepherd St. Bernard Bulldog 6 3
What if? • Estimate each of the dogs below in dog points, assigning each dog a minimum of 1 dog point and a maximum of 100 dog points • A dog point represents the height of a dog at the shoulder – – – – – – – – Labrador retriever Terrier Great Dane Poodle Dachshund German shepherd St. Bernard Bulldog Harder or easier? More or less accurate? More or less time consuming? 7 Estimating story points • Estimate stories relative to each other – – – – Twice T i as big bi Half as big Almost but not quite as big A little bit bigger • Only values: – 0 1, 2, 3, 5, 8, 13, 20 40, 100 0, 1 2 3 5 8 13 20, 40 Near term iteration “stories” A few iterations away “epic” 8 4
Diversity of opinion is essential! Vote based on: •Disaggregation •Analogy •Expert opinion (Subjective) Results of Planning Poker • Explicit result (<20%): – Effort Estimate • Side effects/implicit results (80%+): – Greater understanding of requirement – Expectation setting – Implementation hints – High level design/architecture discussion – Ownership of estimate 5
Security Risk Estimation: Protection Poker What is the security risk? http://news.cnet.com and http://swamptour.net/images/ST7PokerGame1.gif http://collaboration.csc.ncsu.edu/laurie/Papers/ProtectionPoker.pdf Software Security Risk Assessment via Protection Poker 6
Computing Security Risk Exposure Traditional Risk Exposure probability of occurrence NIST Security Risk likelihood of threat threatExposure source exercising vulnerability X impact of loss X impact of adverse event on organization enumeration of adversary types difficulty motivation of adversaries Proposed Security ease of attack Risk Exposure Ease points X value of asset - To organization - To adversary Value points Memory Jogger 7
Step 1: Calibrate value of database tables (done once) • Which database table would be least attractive to an attacker? • Which database table would be most attractive to an attacker? • Use your planning poker cards to assign relative point values for the “value” of each database table, giving a 1 to the least attractive. • Circle the database tables in Table 1 and put the value points in the appropriate column. • There are your “value” endpoints. Step 2: Calibrate ease of attack for requirements (done once) • Which requirement adds functionality that will make an attack easiest? • Which requirement adds functionality that will make attack hardest? • Use your planning poker cards to assign relative point values for the “ease” of each requirement. • There are your “ease” endpoints for the rest of the exercise. exercise 8
Step 3: Compute security risk of requirements (each iteration) • For each requirement: – Identify database tables used in that requirement For requirement. each: • Table already have a “value”? Use it. • Table doesn‘t have a “value”? “Poker” a value. – Record the sum of database table values. – “Poker” a value for ease points. Discuss changes to implementation that may reduce the ease. – Compute security risk by multiplying value by ease. Security Risk Assessment Requirement Ease  Ease Points Value Points Security Risk  Ranking Req 1 1 100 100 3 Req 2 5 1 5 6 Req 3 5 1 5 6 Req 4 20 5 100 3 Req 5 13 13 169 2 Req 6 1 40 40 5 Req 7 40 60 2400 1 Sum of asset value (e.g. one 20 and one 40) 9
Step 4: Risk Ranking and Discussion (each iteration) • Rank your risks. • Any surprises? Satisfied with values you gave? • What plans would you put in place now that you are more aware of the security risk? “Diversity of ideas is healthy, and it lends a creativity and drive to the security field that we must take advantage of.” -- Gary McGraw Informal discussions of: •Threat models •Misuse cases 10
Attacker mindset RedHat Case Study Current software security knowledge PP help spread software security knowledge PP learn about software security Focus on true software security risks 11
Discussions # of contributions time talking (Subjective) Results of Protection Poker • Explicit result (<20%): – Relative security risk assessment • Side effects/implicit results (80%+): – Greater awareness understanding of security implications of requirement • Collaborative threat modeling • Collaborative misuse case development – Requirements changed to reduce risk q g – Allocation of time to build security into new functionality “delivered” at end of iteration (appropriate to relative risk) – Knowledge sharing and transfer of security information 12
Group exercise • Let’s play protection poker! 13
14
Req 1: Emergency Responder Currently the only roles in iTrust are licensed health care professional, unlicensed health care professional (a.k.a secretarial support), support) administrator and patient The need for another role has patient. arisen: emergency responder (ER). An emergency responder is defined as follows: police, fire, emergency medical technicians (EMTs), and other medically trained emergency responders who provide care while at, or in transport from, the site of an emergency. The only capability provided to an ER is access to an emergency report for a patient which provides basic but important information such as: allergies blood type recent short term allergies, type, short-term diagnoses, long term, chronic illness diagnoses, prescription history, and immunization history. The patient is sent an email to notify them of the viewing of their records by an emergency responder. Req 2: Find qualified LHCP A patient has just been diagnosed with a condition and wants to find the licensed health care professionals (LHCPs) in the area who h h have h dl d th t condition. Th patient chooses 'M handled that diti The ti t h 'My Diagnoses” and is presented with a listing of all their own diagnoses, sorted by diagnosis date (more recent first). The patient can select a diagnosis and will be presented with the LHCPs in the patient's living area (based upon the first three numbers of their zip code) who have handled this diagnosis in the last three years. The list is ranked by the quantity of patients the LHCP has treated for that diagnosis (each patient is only counted once regardless of the number of office visits). 15
Req 3: Update diagnosis code table The American Medical Association has decided that beginning January 1 2013 all 1, diagnoses must be coded with ICD-10 rather than ICD-9CM. These new codes need to be saved for eventual use by the iTrust application. Req 4: View access log A patient can view a listing of the names of licensed health care professionals that viewed or edited their medical records and the date the viewing/editing occurred is displayed. 16
For each requirement • Discuss the most sensitive data element involved (value) –E d i t Endpoints – Relative values • Discuss whether the new functionality provides functionality that could make it easier for an attacker to exploit the system (ease) – Endpoints – Relative values • Using Protection Poker language, which requirement seems the least and most risky and why http://www.photosofoldamerica.com/webart/large/254.JPG http://www.cardcow.com/images/albert-einstein-at-beach1945-celebrities-28954.jpg 17
Protection Poker Resources • Williams, L., Meneely, A., and Shipley, G., Protection Poker: The New Software Security "Game", IEEE Security and Privacy, Vol. 8, Number 3, May/June 2010, pp. 14-20. • http://collaboration.csc.ncsu.edu/laurie/Sec urity/ProtectionPoker/ 18

Recomendados

Week 11 12 chap11 c-2
Week 11 12 chap11 c-2Week 11 12 chap11 c-2
Week 11 12 chap11 c-2Zahir Reza
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modelingsedukull
 
Robustness in deep learning
Robustness in deep learningRobustness in deep learning
Robustness in deep learningGanesan Narayanasamy
 
Rule based expert system
Rule based expert systemRule based expert system
Rule based expert systemAbhishek Kori
 
Expert system
Expert systemExpert system
Expert systemDr. Vardhan choubey
 
Expert Systems
Expert SystemsExpert Systems
Expert SystemsCamille Santos
 
Application of Expert Systems in System Analysis & Design
Application of Expert Systems in System Analysis & Design Application of Expert Systems in System Analysis & Design
Application of Expert Systems in System Analysis & Design faiza nahin
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesRoger Johnston
 

Recomendados

Week 11 12 chap11 c-2
Week 11 12 chap11 c-2Week 11 12 chap11 c-2
Week 11 12 chap11 c-2Zahir Reza
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modelingsedukull
 
Robustness in deep learning
Robustness in deep learningRobustness in deep learning
Robustness in deep learningGanesan Narayanasamy
 
Rule based expert system
Rule based expert systemRule based expert system
Rule based expert systemAbhishek Kori
 
Expert system
Expert systemExpert system
Expert systemDr. Vardhan choubey
 
Expert Systems
Expert SystemsExpert Systems
Expert SystemsCamille Santos
 
Application of Expert Systems in System Analysis & Design
Application of Expert Systems in System Analysis & Design Application of Expert Systems in System Analysis & Design
Application of Expert Systems in System Analysis & Design faiza nahin
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesRoger Johnston
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk AssessmentMichael Lines
 
5 ai lecture-05 expert system
5 ai lecture-05 expert system5 ai lecture-05 expert system
5 ai lecture-05 expert systemAhmad sohail Kakar
 
Anomaly detection with machine learning at scale
Anomaly detection with machine learning at scaleAnomaly detection with machine learning at scale
Anomaly detection with machine learning at scaleImpetus Technologies
 
Dss vs expert system
Dss vs expert systemDss vs expert system
Dss vs expert systemAnita Johri
 
Administering security
Administering securityAdministering security
Administering securityG Prachi
 
Adversarial Attacks and Defense
Adversarial Attacks and DefenseAdversarial Attacks and Defense
Adversarial Attacks and DefenseKishor Datta Gupta
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Designing Your Team and Organization for Innovation
Designing Your Team and Organization for InnovationDesigning Your Team and Organization for Innovation
Designing Your Team and Organization for InnovationTechWell
 
Agile Testing: It’s a Team Sport
Agile Testing: It’s a Team SportAgile Testing: It’s a Team Sport
Agile Testing: It’s a Team SportTechWell
 
Agile Success with Scrum: It’s All about the People
Agile Success with Scrum: It’s All about the PeopleAgile Success with Scrum: It’s All about the People
Agile Success with Scrum: It’s All about the PeopleTechWell
 
Design for Testability: A Tutorial for Devs and Testers
Design for Testability: A Tutorial for Devs and TestersDesign for Testability: A Tutorial for Devs and Testers
Design for Testability: A Tutorial for Devs and TestersTechWell
 
Test Managers: How You Can Really Make a Difference
Test Managers: How You Can Really Make a DifferenceTest Managers: How You Can Really Make a Difference
Test Managers: How You Can Really Make a DifferenceTechWell
 
Software Metrics: Taking the Guesswork Out of Software Projects
Software Metrics: Taking the Guesswork Out of Software ProjectsSoftware Metrics: Taking the Guesswork Out of Software Projects
Software Metrics: Taking the Guesswork Out of Software ProjectsTechWell
 
The Google Hacking Database: A Key Resource to Exposing Vulnerabilities
The Google Hacking Database: A Key Resource to Exposing VulnerabilitiesThe Google Hacking Database: A Key Resource to Exposing Vulnerabilities
The Google Hacking Database: A Key Resource to Exposing VulnerabilitiesTechWell
 
Agile and CMMI: Yes, They Can Work Together
Agile and CMMI: Yes, They Can Work TogetherAgile and CMMI: Yes, They Can Work Together
Agile and CMMI: Yes, They Can Work TogetherTechWell
 
Agile Program Management: Networks, Not Hierarchies
Agile Program Management: Networks, Not HierarchiesAgile Program Management: Networks, Not Hierarchies
Agile Program Management: Networks, Not HierarchiesTechWell
 
Agile Redefines Global Economics: What Recent Data Reveals
Agile Redefines Global Economics: What Recent Data RevealsAgile Redefines Global Economics: What Recent Data Reveals
Agile Redefines Global Economics: What Recent Data RevealsTechWell
 
Influence Strategies for Software Professionals
Influence Strategies for Software ProfessionalsInfluence Strategies for Software Professionals
Influence Strategies for Software ProfessionalsTechWell
 
Tests and Requirements: Like Ham and Eggs, Sugar and Spice, Lucy and Desi
Tests and Requirements: Like Ham and Eggs, Sugar and Spice, Lucy and DesiTests and Requirements: Like Ham and Eggs, Sugar and Spice, Lucy and Desi
Tests and Requirements: Like Ham and Eggs, Sugar and Spice, Lucy and DesiTechWell
 
Governing Agile Teams: Disciplined Strategies to Increase Agile Effectiveness
Governing Agile Teams: Disciplined Strategies to Increase Agile EffectivenessGoverning Agile Teams: Disciplined Strategies to Increase Agile Effectiveness
Governing Agile Teams: Disciplined Strategies to Increase Agile EffectivenessTechWell
 
Seven Keys to Navigating Your Agile Testing Transition
Seven Keys to Navigating Your Agile Testing TransitionSeven Keys to Navigating Your Agile Testing Transition
Seven Keys to Navigating Your Agile Testing TransitionTechWell
 
How to Jumpstart Enterprise Agile Adoption
How to Jumpstart Enterprise Agile AdoptionHow to Jumpstart Enterprise Agile Adoption
How to Jumpstart Enterprise Agile AdoptionTechWell
 

Más contenido relacionado

La actualidad más candente

Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk AssessmentMichael Lines
 
Anomaly detection with machine learning at scale
Anomaly detection with machine learning at scaleAnomaly detection with machine learning at scale
Anomaly detection with machine learning at scaleImpetus Technologies
 
Dss vs expert system
Dss vs expert systemDss vs expert system
Dss vs expert systemAnita Johri
 
Administering security
Administering securityAdministering security
Administering securityG Prachi
 
Adversarial Attacks and Defense
Adversarial Attacks and DefenseAdversarial Attacks and Defense
Adversarial Attacks and DefenseKishor Datta Gupta
 

La actualidad más candente (7)

Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk Assessment
 
5 ai lecture-05 expert system
5 ai lecture-05 expert system5 ai lecture-05 expert system
5 ai lecture-05 expert system
 
Anomaly detection with machine learning at scale
Anomaly detection with machine learning at scaleAnomaly detection with machine learning at scale
Anomaly detection with machine learning at scale
 
Dss vs expert system
Dss vs expert systemDss vs expert system
Dss vs expert system
 
Administering security
Administering securityAdministering security
Administering security
 
Adversarial Attacks and Defense
Adversarial Attacks and DefenseAdversarial Attacks and Defense
Adversarial Attacks and Defense
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01
 

Destacado

Designing Your Team and Organization for Innovation
Designing Your Team and Organization for InnovationDesigning Your Team and Organization for Innovation
Designing Your Team and Organization for InnovationTechWell
 
Agile Testing: It’s a Team Sport
Agile Testing: It’s a Team SportAgile Testing: It’s a Team Sport
Agile Testing: It’s a Team SportTechWell
 
Agile Success with Scrum: It’s All about the People
Agile Success with Scrum: It’s All about the PeopleAgile Success with Scrum: It’s All about the People
Agile Success with Scrum: It’s All about the PeopleTechWell
 
Design for Testability: A Tutorial for Devs and Testers
Design for Testability: A Tutorial for Devs and TestersDesign for Testability: A Tutorial for Devs and Testers
Design for Testability: A Tutorial for Devs and TestersTechWell
 
Test Managers: How You Can Really Make a Difference
Test Managers: How You Can Really Make a DifferenceTest Managers: How You Can Really Make a Difference
Test Managers: How You Can Really Make a DifferenceTechWell
 
Software Metrics: Taking the Guesswork Out of Software Projects
Software Metrics: Taking the Guesswork Out of Software ProjectsSoftware Metrics: Taking the Guesswork Out of Software Projects
Software Metrics: Taking the Guesswork Out of Software ProjectsTechWell
 
The Google Hacking Database: A Key Resource to Exposing Vulnerabilities
The Google Hacking Database: A Key Resource to Exposing VulnerabilitiesThe Google Hacking Database: A Key Resource to Exposing Vulnerabilities
The Google Hacking Database: A Key Resource to Exposing VulnerabilitiesTechWell
 
Agile and CMMI: Yes, They Can Work Together
Agile and CMMI: Yes, They Can Work TogetherAgile and CMMI: Yes, They Can Work Together
Agile and CMMI: Yes, They Can Work TogetherTechWell
 
Agile Program Management: Networks, Not Hierarchies
Agile Program Management: Networks, Not HierarchiesAgile Program Management: Networks, Not Hierarchies
Agile Program Management: Networks, Not HierarchiesTechWell
 
Agile Redefines Global Economics: What Recent Data Reveals
Agile Redefines Global Economics: What Recent Data RevealsAgile Redefines Global Economics: What Recent Data Reveals
Agile Redefines Global Economics: What Recent Data RevealsTechWell
 
Influence Strategies for Software Professionals
Influence Strategies for Software ProfessionalsInfluence Strategies for Software Professionals
Influence Strategies for Software ProfessionalsTechWell
 
Tests and Requirements: Like Ham and Eggs, Sugar and Spice, Lucy and Desi
Tests and Requirements: Like Ham and Eggs, Sugar and Spice, Lucy and DesiTests and Requirements: Like Ham and Eggs, Sugar and Spice, Lucy and Desi
Tests and Requirements: Like Ham and Eggs, Sugar and Spice, Lucy and DesiTechWell
 
Governing Agile Teams: Disciplined Strategies to Increase Agile Effectiveness
Governing Agile Teams: Disciplined Strategies to Increase Agile EffectivenessGoverning Agile Teams: Disciplined Strategies to Increase Agile Effectiveness
Governing Agile Teams: Disciplined Strategies to Increase Agile EffectivenessTechWell
 
Seven Keys to Navigating Your Agile Testing Transition
Seven Keys to Navigating Your Agile Testing TransitionSeven Keys to Navigating Your Agile Testing Transition
Seven Keys to Navigating Your Agile Testing TransitionTechWell
 
How to Jumpstart Enterprise Agile Adoption
How to Jumpstart Enterprise Agile AdoptionHow to Jumpstart Enterprise Agile Adoption
How to Jumpstart Enterprise Agile AdoptionTechWell
 
Data Warehouse Testing: It’s All about the Planning
Data Warehouse Testing: It’s All about the PlanningData Warehouse Testing: It’s All about the Planning
Data Warehouse Testing: It’s All about the PlanningTechWell
 

Destacado (16)

Designing Your Team and Organization for Innovation
Designing Your Team and Organization for InnovationDesigning Your Team and Organization for Innovation
Designing Your Team and Organization for Innovation
 
Agile Testing: It’s a Team Sport
Agile Testing: It’s a Team SportAgile Testing: It’s a Team Sport
Agile Testing: It’s a Team Sport
 
Agile Success with Scrum: It’s All about the People
Agile Success with Scrum: It’s All about the PeopleAgile Success with Scrum: It’s All about the People
Agile Success with Scrum: It’s All about the People
 
Design for Testability: A Tutorial for Devs and Testers
Design for Testability: A Tutorial for Devs and TestersDesign for Testability: A Tutorial for Devs and Testers
Design for Testability: A Tutorial for Devs and Testers
 
Test Managers: How You Can Really Make a Difference
Test Managers: How You Can Really Make a DifferenceTest Managers: How You Can Really Make a Difference
Test Managers: How You Can Really Make a Difference
 
Software Metrics: Taking the Guesswork Out of Software Projects
Software Metrics: Taking the Guesswork Out of Software ProjectsSoftware Metrics: Taking the Guesswork Out of Software Projects
Software Metrics: Taking the Guesswork Out of Software Projects
 
The Google Hacking Database: A Key Resource to Exposing Vulnerabilities
The Google Hacking Database: A Key Resource to Exposing VulnerabilitiesThe Google Hacking Database: A Key Resource to Exposing Vulnerabilities
The Google Hacking Database: A Key Resource to Exposing Vulnerabilities
 
Agile and CMMI: Yes, They Can Work Together
Agile and CMMI: Yes, They Can Work TogetherAgile and CMMI: Yes, They Can Work Together
Agile and CMMI: Yes, They Can Work Together
 
Agile Program Management: Networks, Not Hierarchies
Agile Program Management: Networks, Not HierarchiesAgile Program Management: Networks, Not Hierarchies
Agile Program Management: Networks, Not Hierarchies
 
Agile Redefines Global Economics: What Recent Data Reveals
Agile Redefines Global Economics: What Recent Data RevealsAgile Redefines Global Economics: What Recent Data Reveals
Agile Redefines Global Economics: What Recent Data Reveals
 
Influence Strategies for Software Professionals
Influence Strategies for Software ProfessionalsInfluence Strategies for Software Professionals
Influence Strategies for Software Professionals
 
Tests and Requirements: Like Ham and Eggs, Sugar and Spice, Lucy and Desi
Tests and Requirements: Like Ham and Eggs, Sugar and Spice, Lucy and DesiTests and Requirements: Like Ham and Eggs, Sugar and Spice, Lucy and Desi
Tests and Requirements: Like Ham and Eggs, Sugar and Spice, Lucy and Desi
 
Governing Agile Teams: Disciplined Strategies to Increase Agile Effectiveness
Governing Agile Teams: Disciplined Strategies to Increase Agile EffectivenessGoverning Agile Teams: Disciplined Strategies to Increase Agile Effectiveness
Governing Agile Teams: Disciplined Strategies to Increase Agile Effectiveness
 
Seven Keys to Navigating Your Agile Testing Transition
Seven Keys to Navigating Your Agile Testing TransitionSeven Keys to Navigating Your Agile Testing Transition
Seven Keys to Navigating Your Agile Testing Transition
 
How to Jumpstart Enterprise Agile Adoption
How to Jumpstart Enterprise Agile AdoptionHow to Jumpstart Enterprise Agile Adoption
How to Jumpstart Enterprise Agile Adoption
 
Data Warehouse Testing: It’s All about the Planning
Data Warehouse Testing: It’s All about the PlanningData Warehouse Testing: It’s All about the Planning
Data Warehouse Testing: It’s All about the Planning
 

Similar a Protection Poker: An Agile Security Game

OpenText Cyber Resilience Fastrak
OpenText Cyber Resilience FastrakOpenText Cyber Resilience Fastrak
OpenText Cyber Resilience FastrakMarc St-Pierre
 
Enterprise IT Security| CIO Innovation and Leadership
Enterprise IT Security| CIO Innovation and LeadershipEnterprise IT Security| CIO Innovation and Leadership
Enterprise IT Security| CIO Innovation and LeadershipRedZone Technologies
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...robbiesamuel
 
We need Paper on Risk Assessment for the organization (NASA). Th.docx
We need Paper on Risk Assessment for the organization (NASA). Th.docxWe need Paper on Risk Assessment for the organization (NASA). Th.docx
We need Paper on Risk Assessment for the organization (NASA). Th.docxcelenarouzie
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testingCu Nguyen
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart WaySecurity Innovation
 
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)Vladimir Kochetkov
 
27 Introduction Risk management begins with first .docx
27 Introduction Risk management begins with first .docx27 Introduction Risk management begins with first .docx
27 Introduction Risk management begins with first .docxlorainedeserre
 
27 Introduction Risk management begins with first .docx
27 Introduction Risk management begins with first .docx27 Introduction Risk management begins with first .docx
27 Introduction Risk management begins with first .docxvickeryr87
 
Security metrics 2
Security metrics 2Security metrics 2
Security metrics 2Manish Kumar
 
Cyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.comCyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.comPrescottLunt386
 
SOC Analyst Interview Questions & Answers.pdf
SOC Analyst Interview Questions & Answers.pdfSOC Analyst Interview Questions & Answers.pdf
SOC Analyst Interview Questions & Answers.pdfinfosec train
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsDemetrio Milea
 
INFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTSINFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTShenlydailymotion
 

Similar a Protection Poker: An Agile Security Game (20)

Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
Cyberedge 2015 Defense Report
Cyberedge 2015 Defense Report Cyberedge 2015 Defense Report
Cyberedge 2015 Defense Report
 
OpenText Cyber Resilience Fastrak
OpenText Cyber Resilience FastrakOpenText Cyber Resilience Fastrak
OpenText Cyber Resilience Fastrak
 
Enterprise IT Security| CIO Innovation and Leadership
Enterprise IT Security| CIO Innovation and LeadershipEnterprise IT Security| CIO Innovation and Leadership
Enterprise IT Security| CIO Innovation and Leadership
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
 
We need Paper on Risk Assessment for the organization (NASA). Th.docx
We need Paper on Risk Assessment for the organization (NASA). Th.docxWe need Paper on Risk Assessment for the organization (NASA). Th.docx
We need Paper on Risk Assessment for the organization (NASA). Th.docx
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testing
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
 
Cmgt 400 cmgt400
Cmgt 400 cmgt400Cmgt 400 cmgt400
Cmgt 400 cmgt400
 
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
 
27 Introduction Risk management begins with first .docx
27 Introduction Risk management begins with first .docx27 Introduction Risk management begins with first .docx
27 Introduction Risk management begins with first .docx
 
27 Introduction Risk management begins with first .docx
27 Introduction Risk management begins with first .docx27 Introduction Risk management begins with first .docx
27 Introduction Risk management begins with first .docx
 
Security metrics 2
Security metrics 2Security metrics 2
Security metrics 2
 
Cyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.comCyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.com
 
SOC Analyst Interview Questions & Answers.pdf
SOC Analyst Interview Questions & Answers.pdfSOC Analyst Interview Questions & Answers.pdf
SOC Analyst Interview Questions & Answers.pdf
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
 
INFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTSINFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTS
 

Más de TechWell

Failing and Recovering
Failing and RecoveringFailing and Recovering
Failing and RecoveringTechWell
 
Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization TechWell
 
Test Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTest Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTechWell
 
System-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartSystem-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartTechWell
 
Build Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyBuild Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyTechWell
 
Testing Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTesting Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTechWell
 
Implement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowImplement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowTechWell
 
Develop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityDevelop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityTechWell
 
Eliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyEliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyTechWell
 
Transform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTransform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTechWell
 
The Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipThe Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipTechWell
 
Resolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsResolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsTechWell
 
Pin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GamePin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GameTechWell
 
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsAgile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsTechWell
 
A Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationA Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationTechWell
 
Databases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessDatabases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessTechWell
 
Mobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateMobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateTechWell
 
Cultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessCultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessTechWell
 
Turn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTurn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTechWell
 

Más de TechWell (20)

Failing and Recovering
Failing and RecoveringFailing and Recovering
Failing and Recovering
 
Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization
 
Test Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTest Design for Fully Automated Build Architecture
Test Design for Fully Automated Build Architecture
 
System-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartSystem-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good Start
 
Build Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyBuild Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test Strategy
 
Testing Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTesting Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for Success
 
Implement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowImplement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlow
 
Develop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityDevelop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your Sanity
 
Ma 15
Ma 15Ma 15
Ma 15
 
Eliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyEliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps Strategy
 
Transform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTransform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOps
 
The Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipThe Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—Leadership
 
Resolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsResolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile Teams
 
Pin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GamePin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile Game
 
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsAgile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
 
A Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationA Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps Implementation
 
Databases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessDatabases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery Process
 
Mobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateMobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to Automate
 
Cultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessCultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for Success
 
Turn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTurn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile Transformation
 

Último

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Protection Poker: An Agile Security Game

  • 1.           AT3 Concurrent Session  11/8/2012 10:15 AM                "Protection Poker: An Agile Security Game"       Presented by: Laurie Williams North Carolina State University                 Brought to you by:        340 Corporate Way, Suite 300, Orange Park, FL 32073  888‐268‐8770 ∙ 904‐278‐0524 ∙ sqeinfo@sqe.com ∙ www.sqe.com
  • 2. Laurie Williams North Carolina State University A professor of computer science at North Carolina State University, Laurie Williams has been researching agile development methodologies and practices for thirteen years and software security for seven years. She has taught agile courses and coached industrial agile teams at a number of organizations in a variety of domains for the past five years. Laurie is the author of Pair Programming Illuminated; sixty refereed papers on agile software development, test-driven development, and pair programming; and thirty papers on software security. .  
  • 3. Protection Poker: An Agile Security Game Laurie Williams williams@csc.ncsu.edu Picture from http://www.thevelvetstore.com 1 Another vote for… “Everything should be made as simple as possible, but not simpler.” --Albert Einstein http://imagecache2.allposters.com/images/pic/CMA G/956-037~Albert-Einstein-Posters.jpg 1
  • 4. Estimation Planning Poker How many engineers? How long? What is the security risk? Protection Poker Pictures from http://www.doolwind.com , http://news.cnet.com and http://www.itsablackthang.com/images/Art-Sports/irving-sinclair-the-pokergame.jpg Effort Estimation: Planning Poker How many engineers? How long? Pictures from http://www.doolwind.com , http://www.legendsofamerica.com/photos-oldwest/Faro2-500.jpg 2
  • 5. Coming up with the plan Desired Feature s 5 story points/ iteration 30 story points 6 iterations June 10 5 Estimating “dog points” • Estimate each of the dogs below in dog points, assigning each dog a minimum of 1 dog point and a maximum of 10 dog points • A dog point represents the height of a dog at the shoulder – – – – – – – – Labrador retriever Terrier Great Dane Poodle Dachshund German shepherd St. Bernard Bulldog 6 3
  • 6. What if? • Estimate each of the dogs below in dog points, assigning each dog a minimum of 1 dog point and a maximum of 100 dog points • A dog point represents the height of a dog at the shoulder – – – – – – – – Labrador retriever Terrier Great Dane Poodle Dachshund German shepherd St. Bernard Bulldog Harder or easier? More or less accurate? More or less time consuming? 7 Estimating story points • Estimate stories relative to each other – – – – Twice T i as big bi Half as big Almost but not quite as big A little bit bigger • Only values: – 0 1, 2, 3, 5, 8, 13, 20 40, 100 0, 1 2 3 5 8 13 20, 40 Near term iteration “stories” A few iterations away “epic” 8 4
  • 7. Diversity of opinion is essential! Vote based on: •Disaggregation •Analogy •Expert opinion (Subjective) Results of Planning Poker • Explicit result (<20%): – Effort Estimate • Side effects/implicit results (80%+): – Greater understanding of requirement – Expectation setting – Implementation hints – High level design/architecture discussion – Ownership of estimate 5
  • 8. Security Risk Estimation: Protection Poker What is the security risk? http://news.cnet.com and http://swamptour.net/images/ST7PokerGame1.gif http://collaboration.csc.ncsu.edu/laurie/Papers/ProtectionPoker.pdf Software Security Risk Assessment via Protection Poker 6
  • 9. Computing Security Risk Exposure Traditional Risk Exposure probability of occurrence NIST Security Risk likelihood of threat threatExposure source exercising vulnerability X impact of loss X impact of adverse event on organization enumeration of adversary types difficulty motivation of adversaries Proposed Security ease of attack Risk Exposure Ease points X value of asset - To organization - To adversary Value points Memory Jogger 7
  • 10. Step 1: Calibrate value of database tables (done once) • Which database table would be least attractive to an attacker? • Which database table would be most attractive to an attacker? • Use your planning poker cards to assign relative point values for the “value” of each database table, giving a 1 to the least attractive. • Circle the database tables in Table 1 and put the value points in the appropriate column. • There are your “value” endpoints. Step 2: Calibrate ease of attack for requirements (done once) • Which requirement adds functionality that will make an attack easiest? • Which requirement adds functionality that will make attack hardest? • Use your planning poker cards to assign relative point values for the “ease” of each requirement. • There are your “ease” endpoints for the rest of the exercise. exercise 8
  • 11. Step 3: Compute security risk of requirements (each iteration) • For each requirement: – Identify database tables used in that requirement For requirement. each: • Table already have a “value”? Use it. • Table doesn‘t have a “value”? “Poker” a value. – Record the sum of database table values. – “Poker” a value for ease points. Discuss changes to implementation that may reduce the ease. – Compute security risk by multiplying value by ease. Security Risk Assessment Requirement Ease  Ease Points Value Points Security Risk  Ranking Req 1 1 100 100 3 Req 2 5 1 5 6 Req 3 5 1 5 6 Req 4 20 5 100 3 Req 5 13 13 169 2 Req 6 1 40 40 5 Req 7 40 60 2400 1 Sum of asset value (e.g. one 20 and one 40) 9
  • 12. Step 4: Risk Ranking and Discussion (each iteration) • Rank your risks. • Any surprises? Satisfied with values you gave? • What plans would you put in place now that you are more aware of the security risk? “Diversity of ideas is healthy, and it lends a creativity and drive to the security field that we must take advantage of.” -- Gary McGraw Informal discussions of: •Threat models •Misuse cases 10
  • 13. Attacker mindset RedHat Case Study Current software security knowledge PP help spread software security knowledge PP learn about software security Focus on true software security risks 11
  • 14. Discussions # of contributions time talking (Subjective) Results of Protection Poker • Explicit result (<20%): – Relative security risk assessment • Side effects/implicit results (80%+): – Greater awareness understanding of security implications of requirement • Collaborative threat modeling • Collaborative misuse case development – Requirements changed to reduce risk q g – Allocation of time to build security into new functionality “delivered” at end of iteration (appropriate to relative risk) – Knowledge sharing and transfer of security information 12
  • 15. Group exercise • Let’s play protection poker! 13
  • 16. 14
  • 17. Req 1: Emergency Responder Currently the only roles in iTrust are licensed health care professional, unlicensed health care professional (a.k.a secretarial support), support) administrator and patient The need for another role has patient. arisen: emergency responder (ER). An emergency responder is defined as follows: police, fire, emergency medical technicians (EMTs), and other medically trained emergency responders who provide care while at, or in transport from, the site of an emergency. The only capability provided to an ER is access to an emergency report for a patient which provides basic but important information such as: allergies blood type recent short term allergies, type, short-term diagnoses, long term, chronic illness diagnoses, prescription history, and immunization history. The patient is sent an email to notify them of the viewing of their records by an emergency responder. Req 2: Find qualified LHCP A patient has just been diagnosed with a condition and wants to find the licensed health care professionals (LHCPs) in the area who h h have h dl d th t condition. Th patient chooses 'M handled that diti The ti t h 'My Diagnoses” and is presented with a listing of all their own diagnoses, sorted by diagnosis date (more recent first). The patient can select a diagnosis and will be presented with the LHCPs in the patient's living area (based upon the first three numbers of their zip code) who have handled this diagnosis in the last three years. The list is ranked by the quantity of patients the LHCP has treated for that diagnosis (each patient is only counted once regardless of the number of office visits). 15
  • 18. Req 3: Update diagnosis code table The American Medical Association has decided that beginning January 1 2013 all 1, diagnoses must be coded with ICD-10 rather than ICD-9CM. These new codes need to be saved for eventual use by the iTrust application. Req 4: View access log A patient can view a listing of the names of licensed health care professionals that viewed or edited their medical records and the date the viewing/editing occurred is displayed. 16
  • 19. For each requirement • Discuss the most sensitive data element involved (value) –E d i t Endpoints – Relative values • Discuss whether the new functionality provides functionality that could make it easier for an attacker to exploit the system (ease) – Endpoints – Relative values • Using Protection Poker language, which requirement seems the least and most risky and why http://www.photosofoldamerica.com/webart/large/254.JPG http://www.cardcow.com/images/albert-einstein-at-beach1945-celebrities-28954.jpg 17
  • 20. Protection Poker Resources • Williams, L., Meneely, A., and Shipley, G., Protection Poker: The New Software Security "Game", IEEE Security and Privacy, Vol. 8, Number 3, May/June 2010, pp. 14-20. • http://collaboration.csc.ncsu.edu/laurie/Sec urity/ProtectionPoker/ 18