Shostack + Friends Blog


Elevation of Defenses

Using games to help us explore engineering techniques Soldiers building an emergency levee

Once a month or so, I run an Elevation of Privilege session with Agile Stationery. We spend 90 minutes playing the game, talking about threat modeling, how to introduce it, and showing how to make it work.

One of the reasons I do it is that I learn from the participants, and in a recent session for a bank, I got a new perspective on scoring that I want to share.

Kit M. asked “can we give a point for coming up with a defense?” First: heck yes. You can give points for whatever you want. And you should give points in ways that reward the behaviors you want to see. So, giving a point for a defense is good, and makes me wonder: is the game too focused on offense? Is there a variant where you get points for coming up with threats that are already blocked by the defenses that software engineers have built and tested? Maybe that's a team variant, and we could do something like...

  • Discovering a threat: 1 point
  • Noting a potential defense: 1 point
  • Noting an implemented defense: 2 points
  • Discovering a variant of the threat that bypasses the defense: 1 point
  • Explaining how an implemented defense prevents the variant: 3 points

Games are an important tool for engineering — they open the door to playful exploration of possibilities. When playing, we choose to move into a space where we arbitrarily limit ourselves with a set of rules. (Soccer is way easier if you pick up the ball with your hands, but we agree in playing soccer not to do that.) A correlate is that we know we're there to have fun, and it's ok to make suggestions like “what if we change the rules?”

You can play with your team, you can join an open session, and we do private sessions - get in touch.

Photo: US Army Corps of Engineers.