Many of us learn best from games, preferably games that are fun. This section introduces three games, each of which has been devised by security researchers and used in a variety of commercial situations.
All work with agile development techniques, and all three are free to download but need some preparation, so I recommend you take a look before inviting all your colleagues to a session.
First, is our own Agile Security Game. It is the least technical of the three, designed for players of every type and level of technical expertise. Created by people in Security Lancaster to cover app programming and project management, the game has players take on the role of product managers for a secure app product. Players select from a variety of choices which security functionality to implement and find out if their choices foil the attacks. The game requires a coordinator, and needs cards printed out and cut out in advance. We’ve used it in a variety of situations, and players have found it both fun and educational.
You can download full instructions and the game cards with the Developer Security Essentials Workshop Materials, which are available here.
Laurie Williams devised Protection Poker, in which players carry out a risk assessment for a project described in the game. It’s really designed for use within a project as a complement to Extreme Programming’s Planning Game, but Laurie has also provided a presentation with a sample project so that it can be used as an exercise independent of a specific project. Protection Poker is slightly more technical than the game above, but is still suitable for a range of players.
The presentation is here on StickyMinds (which requires a free login). The game details and instructions are at here.
Adam Shostack of Microsoft has given us ‘Elevation of Privilege’. This game’s cards have more professional graphics and it provides a format for a workshop to analyse the threats in one’s own projects. Elevation of Privilege is rather more challenging in terms of technical skill required than the other two games here and uses quite sophisticated security jargon, but would be within the abilities of developers and testers with some software security knowledge.
The game itself was an integral part of Microsoft’s Secure Development Lifecycle (in the days when SDLs were fashionable), so has been widely used. Adam’s book ‘Threat Modelling’ describes the context and explains the technicalities, and you can download the game from Microsoft here.