The system, called "Protection Poker," was developed by computer security experts at North Carolina State University and is already being used in a pilot project to identify security problems.
In Protection Poker, lead researcher Dr. Laurie Williams explains, software development managers are asked to present ideas for new software features or applications to their team of programmers. Members of the software development team are then asked to vote on two questions: how valuable is the data that the new feature will be using? And how easy will it be to attack the new feature?
The development team members use a special deck of cards to vote that allows them to rank the value and ease of attacking the new feature on a scale of 1 to 100. Everyone on the team flips over his or her cards simultaneously. Members who voted with the highest and lowest cards are asked to explain their votes. If one member of the team has ranked the vulnerability as a 40, while the rest of the team ranked it as a three, that member may know something the others don't, Williams says. This process takes advantage of the diversity of knowledge and perspective within the development team.
This process, while simple and inexpensive, is effective – particularly if it takes place during the planning stage, so that potential problems can be addressed before any coding has taken place. For example, Williams and her research team launched a Protection Poker pilot project with Red Hat IT in October 2008 – and have already identified vulnerabilities and prevented them from being included in software projects at that company.
Williams is currently in discussions with other private companies and government agencies about the possibility of launching additional pilot projects to test the Protection Poker system. Williams is an associate professor of computer science at NC State. The Protection Poker research team includes two NC State doctoral candidates in computer science: Michael Gegick and Andrew Meneely.
In addition to identifying security flaws, Protection Poker is also a valuable training tool. Having an individual explain his or her vote results in that person's security knowledge being shared with the entire software development team, Williams explains.
The Protection Poker research, "Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer," was presented at the first-ever Engineering Secure Software and Systems (ESSoS) Conference in Leuven, Belgium, earlier this month.
Gegick and Williams have also co-authored research, with Pete Rotella of Cisco Systems, that effectively allows software developers to identify the elements of their software that are most likely to have security vulnerabilities. While the program does not identify the vulnerabilities, it does evaluate reports of non-security problems with a program (or "bugs") to determine which elements of the program should be prioritized as possibly having security flaws. This research, "Toward Non-security Failures as a Predictor of Security Faults and Failures," was also presented at the ESSoS conference.
Matt Shipman | EurekAlert!
The TU Ilmenau develops tomorrow’s chip technology today
27.04.2017 | Technische Universität Ilmenau
Five developments for improved data exploitation
19.04.2017 | Deutsches Forschungszentrum für Künstliche Intelligenz GmbH, DFKI
More and more automobile companies are focusing on body parts made of carbon fiber reinforced plastics (CFRP). However, manufacturing and repair costs must be further reduced in order to make CFRP more economical in use. Together with the Volkswagen AG and five other partners in the project HolQueSt 3D, the Laser Zentrum Hannover e.V. (LZH) has developed laser processes for the automatic trimming, drilling and repair of three-dimensional components.
Automated manufacturing processes are the basis for ultimately establishing the series production of CFRP components. In the project HolQueSt 3D, the LZH has...
Reflecting the structure of composites found in nature and the ancient world, researchers at the University of Illinois at Urbana-Champaign have synthesized thin carbon nanotube (CNT) textiles that exhibit both high electrical conductivity and a level of toughness that is about fifty times higher than copper films, currently used in electronics.
"The structural robustness of thin metal films has significant importance for the reliable operation of smart skin and flexible electronics including...
The nearby, giant radio galaxy M87 hosts a supermassive black hole (BH) and is well-known for its bright jet dominating the spectrum over ten orders of magnitude in frequency. Due to its proximity, jet prominence, and the large black hole mass, M87 is the best laboratory for investigating the formation, acceleration, and collimation of relativistic jets. A research team led by Silke Britzen from the Max Planck Institute for Radio Astronomy in Bonn, Germany, has found strong indication for turbulent processes connecting the accretion disk and the jet of that galaxy providing insights into the longstanding problem of the origin of astrophysical jets.
Supermassive black holes form some of the most enigmatic phenomena in astrophysics. Their enormous energy output is supposed to be generated by the...
The probability to find a certain number of photons inside a laser pulse usually corresponds to a classical distribution of independent events, the so-called...
Microprocessors based on atomically thin materials hold the promise of the evolution of traditional processors as well as new applications in the field of flexible electronics. Now, a TU Wien research team led by Thomas Müller has made a breakthrough in this field as part of an ongoing research project.
Two-dimensional materials, or 2D materials for short, are extremely versatile, although – or often more precisely because – they are made up of just one or a...
28.04.2017 | Event News
20.04.2017 | Event News
18.04.2017 | Event News
28.04.2017 | Medical Engineering
28.04.2017 | Earth Sciences
28.04.2017 | Life Sciences