Embed Size (px)
Citation preview
Protection Poker
James Walden
Northern Kentucky University
CSC 666: Secure Software Engineering
What is Protection Poker?
Collaborative, informal risk analysis technique based on planning poker.
Evaluate requirements Ease of attack. Impact of attack. Risk = Ease * Impact
CSC 666: Secure Software Engineering
Highest Priority
Lowest Priority
Difficult to Exploit Easy to Exploit
High Impact
Low Impact
Ease
Val
ueSoftware Security Risk
Assessment via Protection Poker
CSC 666: Secure Software Engineering
Players
1. Programmers
2. Testers
3. Customer representatives
4. Security team representative
5. Specialists (UI, DB, etc.)
CSC 666: Secure Software Engineering
Procedure
1. Calibrate value of system assets.
2. Calibrate ease of attack for requirements.
3. Compute security risk (value, ease) for each requirement.
4. Security risk ranking and discussion.
CSC 666: Secure Software Engineering
Calibrate Value of Assets
1. Examine assets listed in Table 1.
2. Identify least valuable asset in Table 1. Discuss. Assign a value of 1 in Table 1 to asset.
3. Identify most valuable asset in Table 1. Use cards to achieve consensus about how
much more valuable asset is. Assign consensus value in Table 1 to asset.
CSC 666: Secure Software Engineering
Calibrate Ease of Attack
1. Identify easiest requirement to attack. Find one that modify data, allow reads of
sensitive data, have weak auth, etc. Use cards to find consensus value.
2. Identify hardest requirement to attack. Find one that doesn’t modify data, allow
reads of sensitive data, has strong auth, etc. Use cards to find consensus value.
3. Record ease points in Table 3.
CSC 666: Secure Software Engineering
Compute Security Risk
For each requirement1. Identify relevant assets.2. If values have already been assigned, document
assets with values in Table 2.3. If values have not been assigned, use cards to
achieve consensus value. Record value in Tables 1 and 2.
4. Record max value in Table 2.
For each requirement1. Use cards to achieve consensus on ease of attack.
Record value in Table 3.2. Compute risk by multiplying value by ease. Record
the value for risk in Table 3.
CSC 666: Secure Software Engineering
Security Risk Ranking
1. Rank requirements by risk from 1 to 4.
2. Place value in security risk ranking Table 3.
3. If any rankings are a surprise, discuss and iterate with cards if necessary.
CSC 666: Secure Software Engineering
Why does it work?
1. Brings together multiple expert opinions with different perspectives on project.
2. Ratings focus on attack resistance analysis.
3. Discussions enable ambiguity analysis.
References
1. Laurie Williams, Michael Gegick and Andy Meneely. Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer. Engineering Secure Software and Systems. 2009
2. Laurie Williams. Protection Poker Tutorial. http://collaboration.csc.ncsu.edu/laurie/Security/ProtectionPoker/, 2008.
