Let’s Play Poker: Effort and Software Security Risk Estimation in Software Engineering Laurie Williams [email protected] 1 Picture from .

Let’s Play Poker: Effort and Software Security Risk Estimation

in Software Engineering

Laurie [email protected]

1Picture from http://www.thevelvetstore.com

Another vote for…

“Everything should be made as simple as possible, but not simpler.”

--Albert Einstein

http://imagecache2.allposters.com/images/pic/CMAG/956-037~Albert-Einstein-Posters.jpg

Estimation

Pictures from http://www.doolwind.com , http://news.cnet.com and http://www.itsablackthang.com/images/Art-Sports/irving-sinclair-the-poker-game.jpg

How many engineers?How long?

What is the security risk?

Planning Poker

Protection Poker

Effort Estimation: Planning Poker

Pictures from http://www.doolwind.com , http://www.legendsofamerica.com/photos-oldwest/Faro2-500.jpg

How many engineers?How long?

Historical Effort Estimation

5

Pictures from http://www.stsc.hill.af.mil/crosstalk/2003/09/0309hirmanpour_f1.gif , http://www.cs.unc.edu/~stotts/145/cocomo4.gif and http://www.timoelliott.com/blog/WindowsLiveWriter/IntestineBasedDecisionMaking_2C89/gut%20feel_1.png and http://www.isr.uci.edu/icse-06/images/keynotes/Boehm.jpg and http://www.rallydev.com/images/mike_photo_color.jpg

Gut feel often based on:• Disaggregation• Analogy• Expert opinion

Coming up with the plan

6

Desired Features

30 story points

6 iterations

5 story points/ iteration

June 10

Estimating “dog points”

• Estimate each of the dogs below in dog points, assigning each dog a minimum of 1 dog point and a maximum of 10 dog points

• A dog point represents the height of a dog at the shoulder– Labrador retriever– Terrier– Great Dane– Poodle– Dachshund – German shepherd– St. Bernard– Bulldog

7

What if?• Estimate each of the dogs below in dog points,

assigning each dog a minimum of 1 dog point and a maximum of 100 dog points

• A dog point represents the height of a dog at the shoulder– Labrador retriever– Terrier– Great Dane– Poodle– Dachshund – German shepherd– St. Bernard– Bulldog

8

More or less accurate?

Harder or easier?

More or less time consuming?

Estimating story points

• Estimate stories relative to each other– Twice as big– Half as big– Almost but not quite as big– A little bit bigger

• Only values:– 0, 1, 2, 3, 5, 8, 13, 20, 40, 100

9

Near term iteration “stories”

A few iterations away “epic”

Vote based on:• Disaggregation• Analogy• Expert opinion

Diversity of opinion is essential!

Not working as fast as planned?

11

Desired Features

30 story points

6 iterations

5 story points iteration

June 10

3 story points iteration

10 iterations

July 8

(Subjective) Results of Planning Poker

• Explicit result (<20%):– Effort Estimate

• Side effects/implicit results (80%+):– Greater understanding of requirement– Expectation setting– Implementation hints– High level design/architecture discussion– Ownership of estimate

Security Risk Estimation: Protection Poker

http://news.cnet.com and http://swamptour.net/images/ST7PokerGame1.gif

What is the security risk?

Highest Priority

Lowest Priority

Difficult to Exploit Easy to Exploit

High Impact

Low Impact

Ease

Val

ueSoftware Security Risk Assessment

via Protection Poker

Computing Security Risk ExposureTraditional Risk Exposure

probability of occurrence

X impact of loss

NIST Security Risk Exposure

likelihood of threat-source exercising vulnerability

X impact of adverse event on organization

difficulty

enumeration of adversary types

motivation of adversaries

Proposed Security Risk Exposure

ease of attack X value of asset- To organization- To adversary

Value pointsEase points

Protection Poker Overview

• Calibrate value of “assets”• Calibrate ease of attack for requirements

• Compute security risk (value, ease) of each requirement• Security risk ranking and discussion

“Diversity of ideas is healthy, and it lends a creativity and drive to the security field that we must take advantage of.” -- Gary McGraw

Picture from: http://farm1.static.flickr.com/203/488795952_9007f93c71.jpg

Informal discussions of:• Threat models• Misuse cases

Diversity of devious, attacker thinking is essential!

Memory Jogger

Sum of asset value (e.g. one 20 and one 40)

Security Risk Assessment

RequirementEase

Points Value Points Security Risk Ranking

Req 1 1 100 100 3

Req 2 5 1 5 6

Req 3 5 1 5 6

Req 4 20 5 100 3

Req 5 13 13 169 2

Req 6 1 40 40 5

Req 7 40 60 2400 1

Academic Trial

• 50 students in undergraduate software engineering course

1. Security cannot be obtained through obscurity alone.

2. Never trust your input.

3. Know your system.

4. Know common exploits.

5. Know how to test for vulnerabilities.

Industrial Trial

• Active participation by all on-site team members• Requirements revised for added security

fortification• Cross site scripting vulnerability found on the spot• Expressed need for education on cross site

scripting• Expressed need for governance to prioritize

security fortification• Increase awareness of necessary security testing

1-missing key issues 2 3 4 5-key issues discussed0

10

20

30

40

50

60

Protection Poker focuses discussion on what you feel are the true security risk

issues

Post Tutorial After two sessions

% r

es

po

nd

en

ts

1-low 2 3 4 5-high0

10

20

30

40

50

60

Rate your software security knowledge

Post Tutorial After two sessions

% r

es

po

nd

en

ts

1-not likely 2 3 4 5-great potential0

5

10

15

20

25

30

35

40

45

Protection Poker will help spread security knowledge throughout your team

Post Tutorial After two sessions

% r

es

po

nd

en

ts

1-not much 2 3 4 5-great potential0

5

10

15

20

25

30

35

40

45

Protection Poker will help you learn about software security

Post tutorial After two sessions

% r

es

po

nd

en

ts

(Subjective) Results of Protection Poker

• Explicit result (<20%):– Relative security risk assessment

• Side effects/implicit results (80%+):– Greater awareness understanding of security implications

of requirement• Collaborative threat modeling• Collaborative misuse case development

– Requirements changed to reduce risk– Allocation of time to build security into new functionality

“delivered” at end of iteration (appropriate to relative risk)– Knowledge sharing and transfer of security information

http://www.photosofoldamerica.com/webart/large/254.JPGhttp://www.cardcow.com/images/albert-einstein-at-beach-1945-celebrities-28954.jpg