Communications of the ACM
Cards on the Table: Low-Cost Tool Spots Software Security Flaws During Development Process
North Carolina State University (NCSU) computer security experts have developed Protection Poker, a new risk management tool that helps software developers find security vulnerabilities in their programs early in the development process. Protection Poker asks software development managers to present ideas for new software features or applications to their team of programmers. Members of the software development team are then asked to vote on two questions: how valuable is the data that the feature will be using, and how easy will it be to attack the new feature?
The development team uses a special deck of cards to vote, which allows them to rank the value and vulnerability of the new feature on a scale of one to 100. Everyone on the team reveals their cards simultaneously, and the members who voted the highest and lowest are asked to explain their votes. If one team member has voted significantly higher or lower than the rest of the team they may know something the others do not, or they may be missing a vital piece of information. The process is particularly effective during the planning stage, so potential problems can be identified before any coding takes place.
Lead researcher and NCSU professor Laurie Williams says Protection Poker also is an effective training tool that helps team members share their security knowledge and development process. The research was presented at the recent Engineering Secure Software and Systems Conference in Leuven, Belgium.
From NCSU News
View Full Article
No entries found