Threat Poker: Gamification of Secure Agile

Agile software development is practiced in most software development projects around the world. To explicitly consider and include security requirements as part of agile software development is referred to as ‘secure agile’. To include security will naturally require additional time and effort, with potentially reduced agility as a consequence. To maintain agility, it is important to have efficient methods to include security in the development process. In this study, we describe enhancements to Threat Poker, which is a game designed for the software development team to deal with security threats identified during the agile development project. Games can be valuable educational tools for actively engaging students and practitioners alike. An experiment with students indicates that playing Threat Poker increases security awareness and that it is a fun and simple way to discuss identified security threats and how to remove security vulnerabilities during the software development process.

[1]  Sven Türpe,et al.  Managing Security Work in Scrum: Tensions and Challenges , 2017, SecSE@ESORICS.

[2]  Agile Manifesto,et al.  Manifesto for Agile Software Development , 2001 .

[3]  Adam Shostack,et al.  Threat Modeling: Designing for Security , 2014 .

[4]  Zachary N. J. Peterson,et al.  Security through play , 2013, IEEE Security & Privacy.

[5]  Audun Jøsang,et al.  Threat Poker: Solving Security and Privacy Threats in Agile Software Development , 2018, NordSec.

[6]  Adam Shostack,et al.  Elevation of Privilege: Drawing Developers into Threat Modeling , 2014, 3GSE.

[7]  Viktoria Stray,et al.  Daily Stand-Up Meetings: Start Breaking the Rules , 2018, IEEE Software.

[8]  Tadayoshi Kohno,et al.  Control-Alt-Hack: the design and evaluation of a card game for computer security awareness and education , 2013, CCS.

[9]  Jianmin Wang,et al.  Design and preliminary evaluation of a cyber Security Requirements Education Game (SREG) , 2017, Inf. Softw. Technol..

[10]  Martin Gilje Jaatun,et al.  Understanding Challenges to Adoption of the Protection Poker Software Security Game , 2018, CyberICPS/SECPRE@ESORICS.

[11]  Ana María Moreno,et al.  Gamification in software engineering education: A systematic mapping , 2018, J. Syst. Softw..

[12]  Mario Piattini,et al.  Gamification in software engineering - A systematic mapping , 2015, Inf. Softw. Technol..

[13]  P. Zlatarov,et al.  Gamification in Software Engineering Education , 2019, 2019 42nd International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO).

[14]  Andraž Cej,et al.  Agile software development with Scrum , 2010 .

[15]  Michael Gegick,et al.  Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer , 2009, ESSoS.

[16]  Laurie A. Williams,et al.  Protection Poker: The New Software Security "Game"; , 2010, IEEE Security & Privacy.

[17]  Henrik Kniberg,et al.  Kanban and Scrum - Making the Most of Both , 2010 .

[18]  Colin Tankard,et al.  What the GDPR means for businesses , 2016, Netw. Secur..

[19]  Martin Gilje Jaatun,et al.  Collaborative security risk estimation in agile software development , 2019, Inf. Comput. Secur..