Shostack + Friends Blog Archive

 

Protection Poker

Listening to Gary McGraw’s Silver Bullet #33, Laurie William mentioned protection poker.

Protection poker, like planning poker [link to http://radio.javaranch.com/lasse/2008/04/22/1208837097457.html no longer works] isn’t really poker. Planning poker is a planning exercise, designed to avoid certain common pitfalls of other approaches to planning. The idea behind protection poker is to be a “informal form of misuse case development and threat modeling that plays off the diversity of knowledge and perspectives of the participants.”

I really like informal approaches to threat modeling, especially where there’s a somewhat knowledgeable group of players. (The draft title of this was “putting the fun back in threat modeling.”) Most people have some informal thoughts about what might go wrong with a system they’re building. This sense is probably strongest with those with the right orientation (“security mindedness”) but it can be enhanced with either training or a methodology. Yoshi Kohno is working on teaching the orientation. To the extent that we can better extract implicit knowledge, or make the training or process more fun, we’ll get more secure systems.

There’s a tutorial, and a paper, Williams, L., Gegick, M., and Meneely, A., Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer, International Symposium on Engineering Secure Software and Systems (ESSoS) 2009, Leuven, Belgium.

4 comments on "Protection Poker"

  • Minisastigesk says:

    ??: ++

  • Arthur says:

    How does Protection Poker compare/contrast with the discussions that happen during the threat modeling process?

  • naifnakita poker says:

    Playing poker online can be very fun and exciting and if you enjoy playing poker online you may also be interested in playing in poker tournaments that are offered online as well.

  • seoelite says:

    Thank you. I read herelots of valuable sentences. Greetings from Poland.

Comments are closed.