Forum for Science, Industry and Business

Sponsored by:     3M 
Search our Site:


Cards on the table: Low-cost tool spots software security flaws during development process

A new risk management tool can help software developers identify security vulnerabilities in their programs early in the planning process, effectively solving problems before they exist, simply by having the developers lay their cards on the table.

The system, called "Protection Poker," was developed by computer security experts at North Carolina State University and is already being used in a pilot project to identify security problems.

In Protection Poker, lead researcher Dr. Laurie Williams explains, software development managers are asked to present ideas for new software features or applications to their team of programmers. Members of the software development team are then asked to vote on two questions: how valuable is the data that the new feature will be using? And how easy will it be to attack the new feature?

The development team members use a special deck of cards to vote that allows them to rank the value and ease of attacking the new feature on a scale of 1 to 100. Everyone on the team flips over his or her cards simultaneously. Members who voted with the highest and lowest cards are asked to explain their votes. If one member of the team has ranked the vulnerability as a 40, while the rest of the team ranked it as a three, that member may know something the others don't, Williams says. This process takes advantage of the diversity of knowledge and perspective within the development team.

This process, while simple and inexpensive, is effective – particularly if it takes place during the planning stage, so that potential problems can be addressed before any coding has taken place. For example, Williams and her research team launched a Protection Poker pilot project with Red Hat IT in October 2008 – and have already identified vulnerabilities and prevented them from being included in software projects at that company.

Williams is currently in discussions with other private companies and government agencies about the possibility of launching additional pilot projects to test the Protection Poker system. Williams is an associate professor of computer science at NC State. The Protection Poker research team includes two NC State doctoral candidates in computer science: Michael Gegick and Andrew Meneely.

In addition to identifying security flaws, Protection Poker is also a valuable training tool. Having an individual explain his or her vote results in that person's security knowledge being shared with the entire software development team, Williams explains.

The Protection Poker research, "Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer," was presented at the first-ever Engineering Secure Software and Systems (ESSoS) Conference in Leuven, Belgium, earlier this month.

Gegick and Williams have also co-authored research, with Pete Rotella of Cisco Systems, that effectively allows software developers to identify the elements of their software that are most likely to have security vulnerabilities. While the program does not identify the vulnerabilities, it does evaluate reports of non-security problems with a program (or "bugs") to determine which elements of the program should be prioritized as possibly having security flaws. This research, "Toward Non-security Failures as a Predictor of Security Faults and Failures," was also presented at the ESSoS conference.

Matt Shipman | EurekAlert!
Further information:

More articles from Information Technology:

nachricht Next Generation Cryptography
20.03.2018 | Fraunhofer-Institut für Sichere Informationstechnologie SIT

nachricht TIB’s Visual Analytics Research Group to develop methods for person detection and visualisation
19.03.2018 | Technische Informationsbibliothek (TIB)

All articles from Information Technology >>>

The most recent press releases about innovation >>>

Die letzten 5 Focus-News des innovations-reports im Überblick:

Im Focus: Researchers Discover New Anti-Cancer Protein

An international team of researchers has discovered a new anti-cancer protein. The protein, called LHPP, prevents the uncontrolled proliferation of cancer cells in the liver. The researchers led by Prof. Michael N. Hall from the Biozentrum, University of Basel, report in “Nature” that LHPP can also serve as a biomarker for the diagnosis and prognosis of liver cancer.

The incidence of liver cancer, also known as hepatocellular carcinoma, is steadily increasing. In the last twenty years, the number of cases has almost doubled...

Im Focus: Researchers at Fraunhofer monitor re-entry of Chinese space station Tiangong-1

In just a few weeks from now, the Chinese space station Tiangong-1 will re-enter the Earth's atmosphere where it will to a large extent burn up. It is possible that some debris will reach the Earth's surface. Tiangong-1 is orbiting the Earth uncontrolled at a speed of approx. 29,000 km/h.Currently the prognosis relating to the time of impact currently lies within a window of several days. The scientists at Fraunhofer FHR have already been monitoring Tiangong-1 for a number of weeks with their TIRA system, one of the most powerful space observation radars in the world, with a view to supporting the German Space Situational Awareness Center and the ESA with their re-entry forecasts.

Following the loss of radio contact with Tiangong-1 in 2016 and due to the low orbital height, it is now inevitable that the Chinese space station will...

Im Focus: Alliance „OLED Licht Forum“ – Key partner for OLED lighting solutions

Fraunhofer Institute for Organic Electronics, Electron Beam and Plasma Technology FEP, provider of research and development services for OLED lighting solutions, announces the founding of the “OLED Licht Forum” and presents latest OLED design and lighting solutions during light+building, from March 18th – 23rd, 2018 in Frankfurt a.M./Germany, at booth no. F91 in Hall 4.0.

They are united in their passion for OLED (organic light emitting diodes) lighting with all of its unique facets and application possibilities. Thus experts in...

Im Focus: Mars' oceans formed early, possibly aided by massive volcanic eruptions

Oceans formed before Tharsis and evolved together, shaping climate history of Mars

A new scenario seeking to explain how Mars' putative oceans came and went over the last 4 billion years implies that the oceans formed several hundred million...

Im Focus: Tiny implants for cells are functional in vivo

For the first time, an interdisciplinary team from the University of Basel has succeeded in integrating artificial organelles into the cells of live zebrafish embryos. This innovative approach using artificial organelles as cellular implants offers new potential in treating a range of diseases, as the authors report in an article published in Nature Communications.

In the cells of higher organisms, organelles such as the nucleus or mitochondria perform a range of complex functions necessary for life. In the networks of...

All Focus news of the innovation-report >>>



Industry & Economy
Event News

Virtual reality conference comes to Reutlingen

19.03.2018 | Event News

Ultrafast Wireless and Chip Design at the DATE Conference in Dresden

16.03.2018 | Event News

International Tinnitus Conference of the Tinnitus Research Initiative in Regensburg

13.03.2018 | Event News

Latest News

Custom sequences for polymers using visible light

22.03.2018 | Materials Sciences

Scientists develop tiny tooth-mounted sensors that can track what you eat

22.03.2018 | Health and Medicine

Mat baits, hooks and destroys pollutants in water

22.03.2018 | Earth Sciences

Science & Research
Overview of more VideoLinks >>>