Security tactics selection poker (TaSPeR): a card game to select security tactics to satisfy security requirements

Building secure software architectures requires taking several design decisions to achieve security requirements; these decisions must be revised carefully before agreement given their impact on system vulnerability and mission-readiness. Architects customarily take these resolutions, drawing upon specialized knowledge like architectural tactics for security; developers also have key information on platforms and tools actual performance, but their input may not be systematically considered to this end. This article presents Security Tactics Selection Poker (TaSPeR), a card game-based technique and consensus-building technique (based on Planning Poker) that allows development team members to identify, argue for, and choose among architectural security tactics according to objectives and priorities. We conducted an experimental process involving twenty-one practitioners from a security software unit, to assess the technique effectiveness in several scenarios. Initial results show that TaSPeR (1) does support collaborative architectural decision-making, (2) encourages stakeholders participation, and (3) starts a group dynamics on how to act against threats. Thus, the use of gamification techniques for architectures evaluation seems to be a promising approach that deserves further exploration.

[1]  S. M. García,et al.  2014: , 2020, A Party for Lazarus.

[2]  Weiqiang Dong On Bias , Variance , 0 / 1-Loss , and the Curse of Dimensionality RK April 13 , 2014 .

[3]  Rubby Casallas,et al.  Architectural tactics support in cloud computing providers: the jelastic case , 2014, QoSA '14.

[4]  Marouane Kessentini,et al.  An introduction to modern software quality assurance , 2016 .

[5]  Ralph Weischedel,et al.  PERFORMANCE MEASURES FOR INFORMATION EXTRACTION , 2007 .

[6]  A. James 2010 , 2011, Philo of Alexandria: an Annotated Bibliography 2007-2016.

[7]  Suntae Kim A quantitative and knowledge-based approach to choosing security architectural tactics , 2015, Int. J. Ad Hoc Ubiquitous Comput..

[8]  Hernán Astudillo,et al.  Towards the selection of security tactics based on non-functional requirements: Security tactic planning poker , 2017, 2017 36th International Conference of the Chilean Computer Science Society (SCCC).

[9]  Claes Wohlin,et al.  Experimentation in Software Engineering , 2000, The Kluwer International Series in Software Engineering.

[10]  Paul Clements,et al.  Software architecture in practice , 1999, SEI series in software engineering.

[11]  Eduardo B. Fernández,et al.  An exploratory comparison of security patterns and tactics to harden systems , 2014, CIbSE.

[12]  Paul Clements,et al.  A Comparison of Requirements Specification Methods from a Software Architecture Perspective , 2006 .

[13]  Jungwoo Ryoo,et al.  The Use of Security Tactics in Open Source Software Projects , 2016, IEEE Transactions on Reliability.

[14]  Gilberto Pedraza-Garcia,et al.  A methodological approach to apply security tactics in software architecture design , 2014, 2014 IEEE Colombian Conference on Communications and Computing (COLCOM).

[15]  Humberto Cervantes,et al.  Smart Decisions: An Architectural Design Game , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering Companion (ICSE-C).

[16]  Eduardo B. Fernández,et al.  Revisiting Architectural Tactics for Security , 2015, ECSA.

[17]  Pramodita Sharma 2012 , 2013, Les 25 ans de l’OMC: Une rétrospective en photos.

[18]  Mike Cohn,et al.  Agile Estimating and Planning , 2005 .