Date post: | 23-Dec-2015 |
Category: |
Documents |
Upload: | kelley-carson |
View: | 217 times |
Download: | 1 times |
Let’s Play Poker: Effort and Software Security Risk Estimation
in Software Engineering
Laurie [email protected]
1Picture from http://www.thevelvetstore.com
Another vote for…
“Everything should be made as simple as possible, but not simpler.”
--Albert Einstein
http://imagecache2.allposters.com/images/pic/CMAG/956-037~Albert-Einstein-Posters.jpg
Estimation
Pictures from http://www.doolwind.com , http://news.cnet.com and http://www.itsablackthang.com/images/Art-Sports/irving-sinclair-the-poker-game.jpg
How many engineers?How long?
What is the security risk?
Planning Poker
Protection Poker
Effort Estimation: Planning Poker
Pictures from http://www.doolwind.com , http://www.legendsofamerica.com/photos-oldwest/Faro2-500.jpg
How many engineers?How long?
Historical Effort Estimation
5
Pictures from http://www.stsc.hill.af.mil/crosstalk/2003/09/0309hirmanpour_f1.gif , http://www.cs.unc.edu/~stotts/145/cocomo4.gif and http://www.timoelliott.com/blog/WindowsLiveWriter/IntestineBasedDecisionMaking_2C89/gut%20feel_1.png and http://www.isr.uci.edu/icse-06/images/keynotes/Boehm.jpg and http://www.rallydev.com/images/mike_photo_color.jpg
Gut feel often based on:• Disaggregation• Analogy• Expert opinion
Coming up with the plan
6
Desired Features
30 story points
6 iterations
5 story points/ iteration
June 10
Estimating “dog points”
• Estimate each of the dogs below in dog points, assigning each dog a minimum of 1 dog point and a maximum of 10 dog points
• A dog point represents the height of a dog at the shoulder– Labrador retriever– Terrier– Great Dane– Poodle– Dachshund – German shepherd– St. Bernard– Bulldog
7
What if?• Estimate each of the dogs below in dog points,
assigning each dog a minimum of 1 dog point and a maximum of 100 dog points
• A dog point represents the height of a dog at the shoulder– Labrador retriever– Terrier– Great Dane– Poodle– Dachshund – German shepherd– St. Bernard– Bulldog
8
More or less accurate?
Harder or easier?
More or less time consuming?
Estimating story points
• Estimate stories relative to each other– Twice as big– Half as big– Almost but not quite as big– A little bit bigger
• Only values:– 0, 1, 2, 3, 5, 8, 13, 20, 40, 100
9
Near term iteration “stories”
A few iterations away “epic”
Not working as fast as planned?
11
Desired Features
30 story points
6 iterations
5 story points iteration
June 10
3 story points iteration
10 iterations
July 8
(Subjective) Results of Planning Poker
• Explicit result (<20%):– Effort Estimate
• Side effects/implicit results (80%+):– Greater understanding of requirement– Expectation setting– Implementation hints– High level design/architecture discussion– Ownership of estimate
Security Risk Estimation: Protection Poker
http://news.cnet.com and http://swamptour.net/images/ST7PokerGame1.gif
What is the security risk?
Highest Priority
Lowest Priority
Difficult to Exploit Easy to Exploit
High Impact
Low Impact
Ease
Val
ueSoftware Security Risk Assessment
via Protection Poker
Computing Security Risk ExposureTraditional Risk Exposure
probability of occurrence
X impact of loss
NIST Security Risk Exposure
likelihood of threat-source exercising vulnerability
X impact of adverse event on organization
difficulty
enumeration of adversary types
motivation of adversaries
Proposed Security Risk Exposure
ease of attack X value of asset- To organization- To adversary
Value pointsEase points
Protection Poker Overview
• Calibrate value of “assets”• Calibrate ease of attack for requirements
• Compute security risk (value, ease) of each requirement• Security risk ranking and discussion
“Diversity of ideas is healthy, and it lends a creativity and drive to the security field that we must take advantage of.” -- Gary McGraw
Picture from: http://farm1.static.flickr.com/203/488795952_9007f93c71.jpg
Informal discussions of:• Threat models• Misuse cases
Diversity of devious, attacker thinking is essential!
Sum of asset value (e.g. one 20 and one 40)
Security Risk Assessment
RequirementEase
Points Value Points Security Risk Ranking
Req 1 1 100 100 3
Req 2 5 1 5 6
Req 3 5 1 5 6
Req 4 20 5 100 3
Req 5 13 13 169 2
Req 6 1 40 40 5
Req 7 40 60 2400 1
Academic Trial
• 50 students in undergraduate software engineering course
1. Security cannot be obtained through obscurity alone.
2. Never trust your input.
3. Know your system.
4. Know common exploits.
5. Know how to test for vulnerabilities.
Industrial Trial
• Active participation by all on-site team members• Requirements revised for added security
fortification• Cross site scripting vulnerability found on the spot• Expressed need for education on cross site
scripting• Expressed need for governance to prioritize
security fortification• Increase awareness of necessary security testing
1-missing key issues 2 3 4 5-key issues discussed0
10
20
30
40
50
60
Protection Poker focuses discussion on what you feel are the true security risk
issues
Post Tutorial After two sessions
% r
es
po
nd
en
ts
1-low 2 3 4 5-high0
10
20
30
40
50
60
Rate your software security knowledge
Post Tutorial After two sessions
% r
es
po
nd
en
ts
1-not likely 2 3 4 5-great potential0
5
10
15
20
25
30
35
40
45
Protection Poker will help spread security knowledge throughout your team
Post Tutorial After two sessions
% r
es
po
nd
en
ts
1-not much 2 3 4 5-great potential0
5
10
15
20
25
30
35
40
45
Protection Poker will help you learn about software security
Post tutorial After two sessions
% r
es
po
nd
en
ts
(Subjective) Results of Protection Poker
• Explicit result (<20%):– Relative security risk assessment
• Side effects/implicit results (80%+):– Greater awareness understanding of security implications
of requirement• Collaborative threat modeling• Collaborative misuse case development
– Requirements changed to reduce risk– Allocation of time to build security into new functionality
“delivered” at end of iteration (appropriate to relative risk)– Knowledge sharing and transfer of security information