protection poker: an agile security game
DESCRIPTION
Each time a new feature is added to a product, developers need to consider the security risk implications, find ways to securely implement the function, and develop tests to confirm that the risk is gone or significantly lowered. Laurie Williams shares a Wideband Delphi practice called Protection Poker she's employed as a collaborative, interactive, and informal agile structure for "misuse case" development and threat modeling. Laurie shares the case study results of a software development team at RedHat that used Protection Poker to identify security risks, find ways to mitigate those risks, and increase security knowledge throughout the team. In this session, Laurie leads an interactive Protection Poker exercise in which you and other participants analyze the security risk of sample new features and learn to collaboratively think like an attacker. Participants will discuss implementation and testing strategies for the sample features to discover first hand the opportunities and challenges a security focus brings to development.TRANSCRIPT
AT3 Concurrent Session 11/8/2012 10:15 AM
"Protection Poker: An Agile Security Game"
Presented by:
Laurie Williams North Carolina State University
Brought to you by:
340 Corporate Way, Suite 300, Orange Park, FL 32073 888‐268‐8770 ∙ 904‐278‐0524 ∙ [email protected] ∙ www.sqe.com
Laurie Williams North Carolina State University
A professor of computer science at North Carolina State University, Laurie Williams has been researching agile development methodologies and practices for thirteen years and software security for seven years. She has taught agile courses and coached industrial agile teams at a number of organizations in a variety of domains for the past five years. Laurie is the author of Pair Programming Illuminated; sixty refereed papers on agile software development, test-driven development, and pair programming; and thirty papers on software security.
.
1
Protection Poker: An Agile Security Game
Laurie [email protected]
1Picture from http://www.thevelvetstore.com
Another vote for…
“Everything should be made as simple as possible, but not simpler.”
--Albert Einstein
http://imagecache2.allposters.com/images/pic/CMAG/956-037~Albert-Einstein-Posters.jpg
2
Estimation
Planning Poker
How many engineers?How long?
What is the security risk?
Pictures from http://www.doolwind.com , http://news.cnet.com and http://www.itsablackthang.com/images/Art-Sports/irving-sinclair-the-poker-game.jpg
Protection Poker
Effort Estimation: Planning PokerHow many engineers?How long?
Pictures from http://www.doolwind.com , http://www.legendsofamerica.com/photos-oldwest/Faro2-500.jpg
3
Coming up with the plan
Desired Features
30 story points
6 iterations
5 story points/ iteration
June 10
5
Estimating “dog points”
• Estimate each of the dogs below in dog points, assigning each dog a minimum of 1 dog point and a maximum of 10 dog points10 dog points
• A dog point represents the height of a dog at the shoulder– Labrador retriever– Terrier– Great Dane– Poodle– Dachshund – German shepherd– St. Bernard– Bulldog
6
4
What if?• Estimate each of the dogs below in dog points, assigning
each dog a minimum of 1 dog point and a maximum of 100 dog points100 dog points
• A dog point represents the height of a dog at the shoulder– Labrador retriever– Terrier– Great Dane– Poodle More or less accurate?
Harder or easier?
– Dachshund – German shepherd– St. Bernard– Bulldog
7
More or less time consuming?
Estimating story points
• Estimate stories relative to each otherT i bi– Twice as big
– Half as big– Almost but not quite as big– A little bit bigger
• Only values:– 0 1 2 3 5 8 13 20 40 1000, 1, 2, 3, 5, 8, 13, 20, 40, 100
8
Near term iteration“stories”
A few iterations away“epic”
5
Diversity of opinion is essential!
Vote based on:•Disaggregation•Analogy•Expert opinion
(Subjective) Results of Planning Poker
• Explicit result (<20%):– Effort EstimateEffort Estimate
• Side effects/implicit results (80%+):– Greater understanding of requirement– Expectation setting– Implementation hints– High level design/architecture discussion– Ownership of estimate
6
Security Risk Estimation: Protection Poker
What is the security risk?
http://news.cnet.com and http://swamptour.net/images/ST7PokerGame1.gifhttp://collaboration.csc.ncsu.edu/laurie/Papers/ProtectionPoker.pdf
Software Security Risk Assessment via Protection Poker
7
Computing Security Risk ExposureTraditional Risk Exposure
probability of occurrence
X impact of loss
NIST Security Risk likelihood of threat- X impact of adverse event onNIST Security Risk Exposure
likelihood of threatsource exercising vulnerability
X impact of adverse event on organization
difficulty
enumeration of adversary types
motivation of adversaries
Proposed Security ease of attack X value of assetProposed Security Risk Exposure
ease of attack X value of asset- To organization- To adversary
Value pointsEase points
Memory Jogger
8
Step 1: Calibrate value of database tables (done once)
• Which database table would be least attractive to an attacker?
• Which database table would be most attractive to an attacker?
• Use your planning poker cards to assign relative point values for the “value” of each database table, giving a 1 to the least attractive.
• Circle the database tables in Table 1 and put the value• Circle the database tables in Table 1 and put the value points in the appropriate column.
• There are your “value” endpoints.
Step 2: Calibrate ease of attack for requirements (done once)
• Which requirement adds functionality that will make an attack easiest?
• Which requirement adds functionality that will make attack hardest?
• Use your planning poker cards to assign relative point values for the “ease” of each requirement.
• There are your “ease” endpoints for the rest of the exerciseexercise.
9
Step 3: Compute security risk of requirements (each iteration)
• For each requirement:– Identify database tables used in that requirement ForIdentify database tables used in that requirement. For
each:• Table already have a “value”? Use it.• Table doesn‘t have a “value”? “Poker” a value.
– Record the sum of database table values.– “Poker” a value for ease points. Discuss changes to
implementation that may reduce the ease.– Compute security risk by multiplying value by ease.
Security Risk Assessment
EaseRequirement
Ease Points Value Points Security Risk Ranking
Req 1 1 100 100 3Req 2 5 1 5 6Req 3 5 1 5 6Req 4 20 5 100 3
Sum of asset value (e.g. one 20 and one 40)
Req 4 20 5 100 3Req 5 13 13 169 2Req 6 1 40 40 5Req 7 40 60 2400 1
10
Step 4: Risk Ranking and Discussion (each iteration)
• Rank your risks.• Any surprises? Satisfied with values you• Any surprises? Satisfied with values you
gave?• What plans would you put in place now that
you are more aware of the security risk?
“Diversity of ideas is healthy, and it lends a creativity and drive to the security field that we must take advantage of.”
-- Gary McGraw
Informal discussions of:•Threat models•Misuse cases
11
Attacker mindset
RedHat Case Study
Current software security knowledge PP learn about software security
PP help spread software security knowledge Focus on true software security risks
12
Discussions
# of contributions time talking
(Subjective) Results of Protection Poker
• Explicit result (<20%):– Relative security risk assessment
• Side effects/implicit results (80%+):– Greater awareness understanding of security implications
of requirement• Collaborative threat modeling• Collaborative misuse case development
– Requirements changed to reduce riskq g– Allocation of time to build security into new functionality
“delivered” at end of iteration (appropriate to relative risk)– Knowledge sharing and transfer of security information
13
Group exercise
• Let’s play protection poker!
14
15
Req 1: Emergency ResponderCurrently the only roles in iTrust are licensed health care
professional, unlicensed health care professional (a.k.a secretarial support) administrator and patient The need for another role hassupport), administrator and patient. The need for another role has arisen: emergency responder (ER). An emergency responder is defined as follows: police, fire, emergency medical technicians (EMTs), and other medically trained emergency responders who provide care while at, or in transport from, the site of an emergency. The only capability provided to an ER is access to an emergency report for a patient which provides basic but important information such as: allergies blood type recent short terminformation such as: allergies, blood type, recent short-term diagnoses, long term, chronic illness diagnoses, prescription history, and immunization history. The patient is sent an email to notify them of the viewing of their records by an emergency responder.
Req 2: Find qualified LHCPA patient has just been diagnosed with a condition and wants to
find the licensed health care professionals (LHCPs) in the area h h h dl d th t diti Th ti t h 'Mwho have handled that condition. The patient chooses 'My
Diagnoses” and is presented with a listing of all their own diagnoses, sorted by diagnosis date (more recent first). The patient can select a diagnosis and will be presented with the LHCPs in the patient's living area (based upon the first three numbers of their zip code) who have handled this diagnosis in the last three years. The list is ranked by the quantity of patients the LHCP has treated for that diagnosis (each patient is only counted once regardless of the number of office visits).
16
Req 3: Update diagnosis code table
The American Medical Association has decided that beginning January 1 2013 alldecided that beginning January 1, 2013 all diagnoses must be coded with ICD-10 rather than ICD-9CM. These new codes need to be saved for eventual use by the iTrust application.
Req 4: View access log
A patient can view a listing of the names of licensed health care professionals thatlicensed health care professionals that viewed or edited their medical records and the date the viewing/editing occurred is displayed.
17
For each requirement• Discuss the most sensitive data element involved
(value)E d i t– Endpoints
– Relative values• Discuss whether the new functionality provides
functionality that could make it easier for an attacker to exploit the system (ease)
Endpoints– Endpoints– Relative values
• Using Protection Poker language, which requirement seems the least and most risky and why
http://www.photosofoldamerica.com/webart/large/254.JPGhttp://www.cardcow.com/images/albert-einstein-at-beach-1945-celebrities-28954.jpg
18
Protection Poker Resources
• Williams, L., Meneely, A., and Shipley, G., Protection Poker: The New SoftwareProtection Poker: The New Software Security "Game", IEEE Security and Privacy, Vol. 8, Number 3, May/June 2010, pp. 14-20.
• http://collaboration.csc.ncsu.edu/laurie/Security/ProtectionPoker/