Abstract/Description

Each time a new feature is added to their product, the agile teams should consider the security risk to a product caused by the new functionality and should brainstorm ways to implement the function securely. Does the new feature add new pages that can be used by an attacker to enter the system? What kind of input validation should be performed? Should the private data be encrypted? Should we log all data access so forensics can be performed in case of a breach? What would an insider want to do with this data? How can we make sure the admin doesn’t have more privilege than necessary? The team needs to put on a black hat and think like an attacker!

Laurie and Catherine share a Planning Poker-type practice called Protection Poker that leverages a diversity of ideas, experience, and knowledge related to software security. Protection Poker provides a collaborative, interactive, and informal structure for abuse case development and threat modeling leading to a software security risk estimate and security risk reduction. Through Protection Poker, the team reduces the risk of design flaws with serious security implications. The test team will learn about areas in the code that need more testing to check for implementation bugs that can be leveraged by attackers to allow them to get into a system. And, Protection Poker also helps to spread software security knowledge throughout a team as the team "plays the game".

Laurie shares the results of a study of the use of Protection Poker with a software development team at RedHat. The study indicated Protection Poker was effective for brainstorming security risks and the mitigation of these risks and for spreading security knowledge throughout the team.

Laurie and Catherine lead the session participants through an interactive Protection Poker exercise. Participants will analyze the security risk of sample new features, learning to collaboratively think like an attacker. Participants will also learn about “building security” into their products by discussing implementation and testing strategies for sample new features to reduce their security risk.

Additional Resources

About the Speaker(s)

No bio currently available.

Laurie Williams is the Interim Department Head of Computer Science and a Professor in the Computer Science Department of the College of Engineering at North Carolina State University (NCSU). Laurie is a co-director of the NCSU Science of Security Lablet. Laurie's research focuses on software security; agile, lean, and continuous deployment software development practices and processes; software reliability, software testing and analysis; and broadening participation and increasing retention in computer science. Laurie has more than 210 refereed publications. Laurie received her Ph.D. in Computer Science from the University of Utah, her MBA from Duke University Fuqua School of Business, and her BS in Industrial Engineering from Lehigh University. She worked for IBM Corporation for nine years in Raleigh, NC and Research Triangle Park, NC before returning to academia. Laurie received her Ph.D. in Computer Science from the University of Utah, her MBA from Duke University Fuqua School of Business, and her BS in Industrial Engineering from Lehigh University. She worked for IBM Corporation for nine years in Raleigh, NC and Research Triangle Park, NC before returning to academia.