The system, called "Protection Poker," was developed by computer security experts at North Carolina State University and is already being used in a pilot project to identify security problems.
In Protection Poker, lead researcher Dr. Laurie Williams explains, software development managers are asked to present ideas for new software features or applications to their team of programmers. Members of the software development team are then asked to vote on two questions: how valuable is the data that the new feature will be using? And how easy will it be to attack the new feature?
The development team members use a special deck of cards to vote that allows them to rank the value and ease of attacking the new feature on a scale of 1 to 100. Everyone on the team flips over his or her cards simultaneously. Members who voted with the highest and lowest cards are asked to explain their votes. If one member of the team has ranked the vulnerability as a 40, while the rest of the team ranked it as a three, that member may know something the others don't, Williams says. This process takes advantage of the diversity of knowledge and perspective within the development team.
This process, while simple and inexpensive, is effective – particularly if it takes place during the planning stage, so that potential problems can be addressed before any coding has taken place. For example, Williams and her research team launched a Protection Poker pilot project with Red Hat IT in October 2008 – and have already identified vulnerabilities and prevented them from being included in software projects at that company.
Williams is currently in discussions with other private companies and government agencies about the possibility of launching additional pilot projects to test the Protection Poker system. Williams is an associate professor of computer science at NC State. The Protection Poker research team includes two NC State doctoral candidates in computer science: Michael Gegick and Andrew Meneely.
In addition to identifying security flaws, Protection Poker is also a valuable training tool. Having an individual explain his or her vote results in that person's security knowledge being shared with the entire software development team, Williams explains.
The Protection Poker research, "Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer," was presented at the first-ever Engineering Secure Software and Systems (ESSoS) Conference in Leuven, Belgium, earlier this month.
Gegick and Williams have also co-authored research, with Pete Rotella of Cisco Systems, that effectively allows software developers to identify the elements of their software that are most likely to have security vulnerabilities. While the program does not identify the vulnerabilities, it does evaluate reports of non-security problems with a program (or "bugs") to determine which elements of the program should be prioritized as possibly having security flaws. This research, "Toward Non-security Failures as a Predictor of Security Faults and Failures," was also presented at the ESSoS conference.
Matt Shipman | EurekAlert!
Switchable DNA mini-machines store information
26.06.2017 | Emory Health Sciences
Equipping form with function
23.06.2017 | Institute of Science and Technology Austria
An international team of scientists has proposed a new multi-disciplinary approach in which an array of new technologies will allow us to map biodiversity and the risks that wildlife is facing at the scale of whole landscapes. The findings are published in Nature Ecology and Evolution. This international research is led by the Kunming Institute of Zoology from China, University of East Anglia, University of Leicester and the Leibniz Institute for Zoo and Wildlife Research.
Using a combination of satellite and ground data, the team proposes that it is now possible to map biodiversity with an accuracy that has not been previously...
Heatwaves in the Arctic, longer periods of vegetation in Europe, severe floods in West Africa – starting in 2021, scientists want to explore the emissions of the greenhouse gas methane with the German-French satellite MERLIN. This is made possible by a new robust laser system of the Fraunhofer Institute for Laser Technology ILT in Aachen, which achieves unprecedented measurement accuracy.
Methane is primarily the result of the decomposition of organic matter. The gas has a 25 times greater warming potential than carbon dioxide, but is not as...
Hydrogen is regarded as the energy source of the future: It is produced with solar power and can be used to generate heat and electricity in fuel cells. Empa researchers have now succeeded in decoding the movement of hydrogen ions in crystals – a key step towards more efficient energy conversion in the hydrogen industry of tomorrow.
As charge carriers, electrons and ions play the leading role in electrochemical energy storage devices and converters such as batteries and fuel cells. Proton...
Scientists from the Excellence Cluster Universe at the Ludwig-Maximilians-Universität Munich have establised "Cosmowebportal", a unique data centre for cosmological simulations located at the Leibniz Supercomputing Centre (LRZ) of the Bavarian Academy of Sciences. The complete results of a series of large hydrodynamical cosmological simulations are available, with data volumes typically exceeding several hundred terabytes. Scientists worldwide can interactively explore these complex simulations via a web interface and directly access the results.
With current telescopes, scientists can observe our Universe’s galaxies and galaxy clusters and their distribution along an invisible cosmic web. From the...
Temperature measurements possible even on the smallest scale / Molecular ruby for use in material sciences, biology, and medicine
Chemists at Johannes Gutenberg University Mainz (JGU) in cooperation with researchers of the German Federal Institute for Materials Research and Testing (BAM)...
19.06.2017 | Event News
13.06.2017 | Event News
13.06.2017 | Event News
26.06.2017 | Life Sciences
26.06.2017 | Physics and Astronomy
26.06.2017 | Information Technology