protection poker a game for risk estimation
play

PROTECTION POKER - A GAME FOR RISK ESTIMATION Martin Gilje Jaatun - PowerPoint PPT Presentation

Oct 18, 2023 •414 likes •683 views

PROTECTION POKER - A GAME FOR RISK ESTIMATION Martin Gilje Jaatun ( Yaw-toon) @seniorfrosk Based on the original game by Laurie Williams, NCSU Efficient and effective software security = risk based software security Impossible to

  1. PROTECTION POKER - A GAME FOR RISK ESTIMATION Martin Gilje Jaatun ( Yaw-toon) @seniorfrosk Based on the original game by Laurie Williams, NCSU

  2. Efficient and effective software security = risk based software security • Impossible to prevent all security flaws and vulnerabilities • Limited resources – time, money, expertise • Most important to prevent, detect and remove flaws and vulnerabilities with high risk: • Can easily be exploited by attackers • May impact important assets 2 @seniorfrosk @seniorfrosk

  3. What is Protection Poker? • Risk estimation in agile development teams - Originally by Laurie Williams, NCSU - Based on Planning Poker (effort estimation) • Performed in the beginning of every iteration, by the full team • Goal: Rank the security risk of the features to be implemented in the iteration - Ensure common understanding in the team on the need for security in this iteration – and in general 3 @seniorfrosk @seniorfrosk

  4. Exposure Hard to Easy to Risk = value x exposure exploit exploit High High value priority Asset • Exposure: Low Low value priority • Does it increase the attack surface? • What competence is needed to exploit this functionality? • What type of access to assets can be achieved (confidentiality, integrity, availability)? • Value of assets: • What data is "touched upon" by the functionality? • Value of the assets for the organisation/customers/users? • Value for an attacker? risk = (the total value of all assets that could be exploited with a successful attack) × (the exposure) 4 @seniorfrosk @seniorfrosk

  5. Complex/decomposable Interlude: Task/process Data Flow Diagrams Entity/user • Useful to get overview • To understand the system's Data flows attack surface • Trust boundaries Data store • How data flows in the system Boundary 5 @seniorfrosk

  6. High-level description – A college library site User / Web Server Boundary Authenticate User Login Request Web Login Users Authenticate User Process Servlet Login Response Result Authenticate User SQL Web Server / Query Database Boundary Authenticate User SQL Pages Query Result Data Web pages College Database files Library Database 6 Data @seniorfrosk @seniorfrosk Case and data flow diagram inspired by https://www.owasp.org/index.php/Application_Threat_Modeling

  7. Example of new feature • The students can make a request for a new book • NB: If you have many small features, consider grouping • Assets (just a few examples!) them (e.g. as use cases) • Authentication credentials (login details) • Personal data • Webpages • Login session • Audit data • SQL queries • … 7 @seniorfrosk @seniorfrosk

  8. We play (at least) two rounds • Value - For every asset the feature/requirement "touches" • Exposure NB: Consensus! 8 @seniorfrosk @seniorfrosk

  9. First: Value of asset "Authentication credentials" 9 @seniorfrosk @seniorfrosk

  10. Let the game begin! Asset: Credentials 10 @seniorfrosk

  11. Show your hand! Asset: Credentials Authentication credentials are pretty much the A password gone most important walkabout is hardly thing we have? a crisis, there are other mechanisms that can prevent misuse 11 @seniorfrosk

  12. Play again! (same asset) Asset: Credentials 12 @seniorfrosk

  13. Show your hand! Asset: Credentials 13 @seniorfrosk

  14. (We skip the rest of the assets…) Now: Exposure of feature "Order book" 14 @seniorfrosk

  15. Then play on! Exposure "Order book" 15 @seniorfrosk

  16. Show cards! Exposure "Order book" It's a functionality available from the internet, even though access is All you can do is restricted request a book, what could possibly go wrong? 16 @seniorfrosk

  17. New vote! Exposure "Order book" 17 @seniorfrosk

  18. Show cards! Exposure "Order book" 18 @seniorfrosk

  19. Sum assets feature #1 # Asset Value 1 Authentication credentials 80 2 Personal data 100 3 Webpages 50 4 Login session 80 5 Audit data 90 6 SQL queries 10 SUM 410 19 @seniorfrosk

  20. Result # Requirement/feature Exposure ∑ value Risk Rank assets 1 Order book 50 410 20500 1 2 … 3 … 4 Coffe break warning 10 10 100 5 5 Add Admin user 100 150 15000 2 20 @seniorfrosk

  21. Calibration • Note: The risk of a requirement is compared to that of other requirements in the same project • It's all relative! • The first time one plays Protection Poker, it is recommended to do a calibration to set the end-points of the scale used. • Which assets have highest/lowest value? • Which features increase exposure the most/least? 21 @seniorfrosk @seniorfrosk

  22. Calibration – University Library Add admin Coffee break • Exposure user alert Low Medium High • Asset value General Personal library info Data 22 @seniorfrosk

  23. A practical tip on playing • Keep your friends close, and your cards closer! • Don't throw your cards in the ring… • In the discussion phase, you need to remember who bid what • … and you need your OWN 23 card back for the next round! @seniorfrosk @seniorfrosk

  24. Good luck! http://www.sintef.no/protection-poker http://www.sintef.no/sos-agile 24 @seniorfrosk @seniorfrosk

  25. Technology for a better society

Recommend

Opponent Modelling in Poker Mentor: Prof. Amitabha Mukharjee SOURAJ MISRA AYUSH JAIN Poker and

Opponent Modelling in Poker Mentor: Prof. Amitabha Mukharjee SOURAJ MISRA AYUSH JAIN Poker and

Opponent Modelling in Poker Mentor: Prof. Amitabha Mukharjee SOURAJ MISRA AYUSH JAIN Poker and AI Ideal for testing automated reasoning under uncertainty Game of luck and Skills Game of Imperfect Information Unpredictable Opponent

151 views • 13 slides
Agile Estimation (Planning Poker) No plan survives contact with the enemy Field Marshal

Agile Estimation (Planning Poker) No plan survives contact with the enemy Field Marshal

Agile Estimation (Planning Poker) No plan survives contact with the enemy Field Marshal Helmuth Graf von Moltke Prussia (later Germany) Years of service: 1822-1888 Project Planning Basic Questions 1. What am I getting ? 2. When

255 views • 11 slides
Planning Poker SWEN-261 Introduction to Software Engineering Department of Software Engineering

Planning Poker SWEN-261 Introduction to Software Engineering Department of Software Engineering

Planning Poker SWEN-261 Introduction to Software Engineering Department of Software Engineering Rochester Institute of Technology Planning poker is an estimation technique that provides detail during the Sprint Planning activity. Product

311 views • 6 slides
EARTHQUAKE LOSS ESTIMATION AND RISK EARTHQUAKE LOSS ESTIMATION AND RISK ASSESSMENT METHODOLOGY

EARTHQUAKE LOSS ESTIMATION AND RISK EARTHQUAKE LOSS ESTIMATION AND RISK ASSESSMENT METHODOLOGY

Universidade do Minho Departamento de Engenharia Civil SEMINAR AND LUNCH ON EARTHQUAKE ENGINEERING AND HISTORIC MASONRY July 12, 2010 EARTHQUAKE LOSS ESTIMATION AND RISK EARTHQUAKE LOSS ESTIMATION AND RISK ASSESSMENT METHODOLOGY FROM CONCEPT

798 views • 67 slides
Introduction to game theory Introduction to game theory Jie Gao Computer Science Department

Introduction to game theory Introduction to game theory Jie Gao Computer Science Department

Introduction to game theory Introduction to game theory Jie Gao Computer Science Department Stony Brook University Game theory Game theory How selfish agents interact. Chess, poker: both parties want to win. Traditionally

818 views • 50 slides
Architectural Complexity Lessons from the bwin P5 Poker System Presented by: Henrik Henke

Architectural Complexity Lessons from the bwin P5 Poker System Presented by: Henrik Henke

Architectural Complexity Lessons from the bwin P5 Poker System Presented by: Henrik Henke Lagercrantz & Gerold Cactus Kathan QCon London 2010, March 10 2010 Online Poker Functional Requirements in the Poker domain are well-

1.15k views • 90 slides
Risk estimation in high- risk patients . . in everybody!? Nationale Lipidendag 17

Risk estimation in high- risk patients . . in everybody!? Nationale Lipidendag 17

Risk estimation in high- risk patients . . in everybody!? Nationale Lipidendag 17 mei 2018 Frank L.J. Visseren Disclosures ZonMw, Wellerdieck-de Goede fonds, Research Leatare foundation, Vrienden UMC Utrecht, Dutch Heart

920 views • 55 slides
EMPOWERING THE COMMUNITY TO HAVE THEIR SAY ON POKER MACHINES Dr Susan Rennie Project aim

EMPOWERING THE COMMUNITY TO HAVE THEIR SAY ON POKER MACHINES Dr Susan Rennie Project aim

EMPOWERING THE COMMUNITY TO HAVE THEIR SAY ON POKER MACHINES Dr Susan Rennie Project aim Ensure that all communities are empowered to have a voice in planning matters relevant to the placement of poker machines and other gambling venues

139 views • 10 slides
Game e Ch Changer nger in in Managing ing Ca Cari ries s in in Hig igh-Risk Risk Pop

Game e Ch Changer nger in in Managing ing Ca Cari ries s in in Hig igh-Risk Risk Pop

Sil ilver er Dia iamin ine e Fluoride ride: : A Game e Ch Changer nger in in Managing ing Ca Cari ries s in in Hig igh-Risk Risk Pop opulatio ulations? ns? Scott ott L. Tomar mar, , DMD MD, , DrPH PH University of

775 views • 49 slides
Detection and Estimation Theory Lecture 13 Mojtaba Soltanalian- UIC msol@uic.edu

Detection and Estimation Theory Lecture 13 Mojtaba Soltanalian- UIC msol@uic.edu

Detection and Estimation Theory Lecture 13 Mojtaba Soltanalian- UIC msol@uic.edu http://msol.people.uic.edu Based on ECE 531 Slides- 2011 (Prof. Natasha Devroye) Bayesian Estimation -- Summary Bayesian Risk From Bayesian Risk to Estimation

885 views • 21 slides
Distributed Planning Poker Integrating IBM Rational Team Concert and Google Wave for distributed

Distributed Planning Poker Integrating IBM Rational Team Concert and Google Wave for distributed

Distributed Planning Poker Integrating IBM Rational Team Concert and Google Wave for distributed effort estimation Florian Georg florian.georg@ch.ibm.com Jrg Mller joerg.moeller@de.ibm.com Stefan Hufnagl hufnagl@de.ibm.com IBM Software

534 views • 36 slides
the EU Study to develop and test a methodology for FGM risk estimation in selected EU Member

the EU Study to develop and test a methodology for FGM risk estimation in selected EU Member

Estimating the risk of female genital mutilation in the EU Study to develop and test a methodology for FGM risk estimation in selected EU Member States Main Objective Estimate the number of girls living in 3 EU Member States who are at risk

685 views • 40 slides
Probability and Risk CS 4730 Computer Game Design

Probability and Risk CS 4730 Computer Game Design

Probability and Risk CS 4730 Computer Game Design Credit: Several slides from Walker White (Cornell) CS 4730 Quick Recap The game state

418 views • 28 slides
Probability and Risk CS 4730 Computer Game Design

Probability and Risk CS 4730 Computer Game Design

Probability and Risk CS 4730 Computer Game Design Credit: Several slides from Walker White (Cornell) CS 4730 Quick Recap The game state

625 views • 27 slides
Topics in U-statistics and Risk Estimation Qing Wang and Bruce G. Lindsay March 17, 2011 Qing

Topics in U-statistics and Risk Estimation Qing Wang and Bruce G. Lindsay March 17, 2011 Qing

Outline Introduction Unbiased Variance Estimator Implementation in Risk Estimation Future Work Reference Topics in U-statistics and Risk Estimation Qing Wang and Bruce G. Lindsay March 17, 2011 Qing Wang and Bruce G. Lindsay Department of

287 views • 26 slides
Software Risk Assessment: Fuzzy Logic Approach to Risk Estimation (FLARE) Presented by:

Software Risk Assessment: Fuzzy Logic Approach to Risk Estimation (FLARE) Presented by:

UNCLASSIFIED Presented to: International System Safety Society Software Risk Assessment: Fuzzy Logic Approach to Risk Estimation (FLARE) Presented by: DISTRIBUTION STATEMENT B: Distribution authorized to U.S. Government Agencies and their

1.17k views • 46 slides
Who wins and how? Sasha Rubin Cornell REU 2009 Traditional Game Theory von Neumann,

Who wins and how? Sasha Rubin Cornell REU 2009 Traditional Game Theory von Neumann,

Who wins and how? Sasha Rubin Cornell REU 2009 Traditional Game Theory von Neumann, Morgenstern, Nash, ... focus on incomplete information eg. Poker Q. How should a player behave to maximise payoff? A. Use randomness in strategies. eg.

694 views • 24 slides
Richard Gibson Ph.D. Thesis Presentation December 6, 2013 Computer Poker Research Group Heads

Richard Gibson Ph.D. Thesis Presentation December 6, 2013 Computer Poker Research Group Heads

Regret Minimization in Games and the Development of Champion Multiplayer Computer Poker Agents Richard Gibson Ph.D. Thesis Presentation December 6, 2013 Computer Poker Research Group Heads Up Limit Texas Hold'em Source: ebaumsworld.com

1.29k views • 84 slides
Volunteer Recruitment Risk Management TEAM CHARLIE 2 CIVIL PROTECTION CIVIL PROTECTION First

Volunteer Recruitment Risk Management TEAM CHARLIE 2 CIVIL PROTECTION CIVIL PROTECTION First

Workshop Volunteer Management Volunteer Recruitment Risk Management TEAM CHARLIE 2 CIVIL PROTECTION CIVIL PROTECTION First responders Rescue services Org. Volunteers Citizens, Family R&D, Business Authorities persons, animals,

1.18k views • 45 slides
e-Bug Junior Game Junior Game Game Style Game Process Demo Game Mechanics and

e-Bug Junior Game Junior Game Game Style Game Process Demo Game Mechanics and

e-Bug Junior Game Junior Game Game Style Game Process Demo Game Mechanics and Learning Outcomes Feedback to date and evaluation plans Game Style Game style encompasses two genres of game o Platform game fast action

575 views • 22 slides
Policy Discussion #7 Risk Management and Protection of Human Health Outline Introduction:

Policy Discussion #7 Risk Management and Protection of Human Health Outline Introduction:

Policy Discussion #7 Risk Management and Protection of Human Health Outline Introduction: AWQC for protection of public health Exposure to noncarcinogenic chemicals; relative source contribution Risk from exposure to carcinogens

279 views • 25 slides
e-Bug Senior Game Senior Game Game Style Game Process Demo Game Puzzles and

e-Bug Senior Game Senior Game Game Style Game Process Demo Game Puzzles and

e-Bug Senior Game Senior Game Game Style Game Process Demo Game Puzzles and Learning Outcomes Feedback to date and evaluation plans Game Style Game is a detective game where the player investigates microbial problems.

572 views • 19 slides
2-7 Triple Draw Poker: With Learning Nikolai Yakovenko 2/18/15 EE6894 Deep Learning Class

2-7 Triple Draw Poker: With Learning Nikolai Yakovenko 2/18/15 EE6894 Deep Learning Class

2-7 Triple Draw Poker: With Learning Nikolai Yakovenko 2/18/15 EE6894 Deep Learning Class Overview Problem: learn strategy to play 2-7 triple draw poker Data: play against existing C-lang program that plays pretty good & really

490 views • 13 slides
Risk-parameter estimation in volatility models Christian Francq Jean-Michel Zakoan CREST and

Risk-parameter estimation in volatility models Christian Francq Jean-Michel Zakoan CREST and

Conditional risk in volatility models Risk parameter in volatility models Estimating the risk parameter Risk-parameter estimation in volatility models Christian Francq Jean-Michel Zakoan CREST and University Lille 3, France SFdS-JdS 2013,

1.28k views • 81 slides

More recommend