Researchers at NC State have developed a new innovative practice called Protection Poker. This interactive tabletop process allows Developers, Security Experts, Upper Management, and other various key stakeholders to perform threat modeling without the burden of discussing code implementation. The process would be executed prior to development and most likely after draft requirements have been defined. It would allow for additional changes to the RTM, if needed.
"The dual purpose of a Protection Poker session is (1) to structure a collaborative, interactive, and informal practice for misuse case development and threat modeling; and (2) to spread software security knowledge throughout a team."
More information can be found here:
Poker: The New Game in Secure Application Development
Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer
Tuesday, February 24, 2009
Subscribe to:
Post Comments (Atom)
Posts
0 comments:
Post a Comment