Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer

Discovery of security vulnerabilities is on the rise. As a result, software development teams must place a higher priority on preventing the injection of vulnerabilities in software as it is developed. Because the focus on software security has increased only recently, software development teams often do not have expertise in techniques for identifying security risk, understanding the impact of a vulnerability, or knowing the best mitigation strategy. We propose the Protection Poker activity as a collaborative and informal form of misuse case development and threat modeling that plays off the diversity of knowledge and perspective of the participants. An excellent outcome of Protection Poker is that security knowledge passed around the team. Students in an advanced undergraduate software engineering course at North Carolina State University participated in a Protection Poker session conducted as a laboratory exercise. Students actively shared misuse cases, threat models, and their limited software security expertise as they discussed vulnerabilities in their course project. We observed students relating vulnerabilities to the business impacts of the system. Protection Poker lead to a more effective software security learning experience than in prior semesters. A pilot of the use of Protection Poker with an industrial partner began in October 2008. The first security discussion structured via Protection Poker caused two requirements to be revised for added security fortification; led to the immediate identification of one vulnerability in the system; initiated a meeting on the prioritization of security defects; and instigated a call for an education session on preventing cross site scripting vulnerabilities.

[1]  Barry W. Boehm,et al.  Software development cost estimation approaches — A survey , 2000, Ann. Softw. Eng..

[2]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[3]  Uma G. Gupta,et al.  Theory and applications of the Delphi technique: A bibliography (1975–1994) , 1996 .

[4]  Kjetil Moløkken-Østvold,et al.  Combining Estimates with Planning Poker--An Empirical Study , 2007, 2007 Australian Software Engineering Conference (ASWEC'07).

[5]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[6]  Ian F. Alexander,et al.  On Abstraction in Scenarios , 2002, Requirements Engineering.

[7]  BryantA.,et al.  B. W. Boehm software engineering economics , 1983 .

[8]  Barry W. Boehm,et al.  Software Engineering Economics , 1993, IEEE Transactions on Software Engineering.

[9]  Mike Cohn,et al.  Agile Estimating and Planning , 2005 .

[10]  Nils Christian Haugen An empirical study of using planning poker for user story estimation , 2006, AGILE 2006 (AGILE'06).

[11]  Eugene H. Spafford,et al.  Software vulnerability analysis , 1998 .

[12]  Kent L. Beck,et al.  Extreme programming explained - embrace change, Second Edition , 2005, The XP series.

[13]  Gary McGraw,et al.  Building Secure Software : ソフトウェアセキュリティについて開発者が知っているべきこと , 2006 .

[14]  Sergey M. Avdoshin,et al.  Software risk management , 2011, 2011 7th Central and Eastern European Software Engineering Conference (CEE-SECR).

[15]  John D. Musa,et al.  Software Reliability Engineering: More Reliable Software Faster and Cheaper , 2004 .

[16]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.

[17]  Diana G. Oblinger,et al.  Educating the Net Generation , 2005 .

[18]  Kent L. Beck,et al.  Extreme programming explained - embrace change , 1990 .

[19]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[20]  JaatunMartin Gilje,et al.  Agile Software Development , 2002, Comput. Sci. Educ..

[21]  Kent Beck,et al.  Extreme Programming Explained: Embrace Change (2nd Edition) , 2004 .