Let s Play Poker: Effort and Software Security Risk Estimation in Software Engineering

Similar documents
Let s Play Poker: Effort and Software Security Risk Estimation in Software. Picture from

Part III: Estimating Size

Story Points: Estimating Magnitude

BIOLOGY 1615 ARTICLE ASSIGNMENT #3

Vicious Dog Ordinance

Your dog's neck measures ins cms. 8-10ins cms ins cm ins 28-33cm ins cm.

Daycare & Boarding Application

Autism Service Dog Information Package:

Building Responsible Pet Ownership Communities The Calgary Model. Thursday, October 22, 15

Annual Dog Control. Report to Secretary LOCAL GOVERNMENT 2016/17. Te Kaunihera o Papaioea Palmerston North City Council

DOG FITNESS TOOLS & TOYS

LLOYDMINSTER KENNEL & OBEDIENCE CLUB ALL BREED SHOWS & TRIALS SEPTEMBER 29, 30, & OCTOBER 1, 2017

Meet our Nurses. Winter Newsletter In this issue. In your genes Pets and arthritis History of colour vision

City of Fremont Animal Services: Effective Pet Licensing Enforcement

Evergreen Niche Profits

Registration Statistics

Applicability of Earn Value Management in Sri Lankan Construction Projects

Nathan A. Thompson, Ph.D. Adjunct Faculty, University of Cincinnati Vice President, Assessment Systems Corporation

Five ways to drive your vet crazy

Identity Management with Petname Systems. Md. Sadek Ferdous 28th May, 2009

SATURDAY, NOVEMBER 4, 2017 SUNDAY, NOVEMBER 5, 2017

German Shepherd Dog Diane Lewis. The Joys and Advantages of Owning an AKC -Registered Purebred Dog

Fourth Grade Math: Written Response: Interpreting Graphs

Dogs and Cats Online All of our Puppies in One Basket

REPORT TO THE CHIEF ADMINISTRATIVE OFFICER FROM THE CORPORATE SERVICES AND COMMUNITY SAFETY DEPARTMENT DOG LICENCE FEE INCREASE

VSBSA NEWSLETTER. Other (i.e. joint owners), 8, 28% Female, 13, 44% Male, 8, 28% COMPLAINTS OVERVIEW 2009/10

Truly Targeted Spay/Neuter

The City School. Learn Create Program

The EVM + AGILE Anthology

Accommodation Process for Comfort Animal in Campus Housing and Responsibilities of the Comfort Animal Owner

Black Labrador Puppies Calendar - Dog Breed Calendars Wall Calendars - 16 Month By Avonside By MegaCalendars

SHORT-HAIR WASH & DRY R Dachshund, Chihuahua, Jack Russel terrier

Physician Rating: ( 23 Votes ) Rate This Article:

Animal Outcomes by Type From 10/8/2017 to 10/14/2017

Annual Review of Cases 2003

The Dangers to your Dog from Excessive Weight & Obesity

PUPPY MANNERS WEEK 1

Please include the dog breed and whether the dog was recovered for each case.

Westminster Adoption Group and Services Bulldog Adoption Application

Subdomain Entry Vocabulary Modules Evaluation

of Conferences of OIE Regional Commissions organised since 1 June 2013 endorsed by the Assembly of the OIE on 29 May 2014

Tuesday, August 4, 2015 Wednesday, August 5, 2015 Thursday, August 6, 2015

Owners and Veterinary Surgeons in the United Kingdom Disagree about what should Happen during a Small Animal Vaccination Consultation

Boarding Agreement. Rates:

RABIES CONTROL REGULATION. TRUMBULL COUNTY HEALTH DEPARTMENT Revised June 18, 1997

Animal Outcomes by Type From 9/17/2017 to 9/23/2017

LIVING WITH WOLVES. They are creatures of legend,

Animal Outcomes by Type From 4/9/2017 to 4/15/2017

Dog Bites in Colorado July June 2012: Data, Conclusions, and. Colorado Dog Bite Data. Tips for Keeping Communities Safer

Quality Assurance & Food Safety for Arizona Youth Livestock Producers Youth Re-certification Checklist Summary

OCASPAC Dog Quarantine

THE WUSV WORKING GROUP - GB. ZAP Character Assessment

Teachers Notes Session 4 Plan your rescue centre

CAREERS INFORMATION. learnwithdogstrust.org.uk. Dogs Trust Registered Charity Nos and SC037843

Omschrijving Mini Starter Mother & Babydog 3kg Medium Starter Mother & Babydog 4kg Maxi Starter Mother & Babydog 4kg X-Small Junior 500g X-Small

10 Fiercest And Most Powerful Dogs Banned In Some Countries For Terrible Reasons

SAVE DATE. Saturday, October 27th REGISTER PROVIDENCEAC.ORG/BARK. Rose Tree Park 1671 N. Providence Road, Media, PA 10am - 3pm

Loose Leash Walking. Core Rules Applied:

South Carolina 4-H/FFA Cavy Project Cloverbud Record Book

Environmental Literacy Biodiversity Assessment: --- High School Level ---

Hello! Sincerely, Cari Bishop Program Assistant

Learn with Dogs Trust!

Best in Show Solitaire Manual & Strategy Guide

Service Dog Application

Total dogs 232 Thursday. Order your Dinner tickets! July 29th after Best in Show in Quonset Hut. Day Parking by volunteers from Mazatlán Animal Rescue

Guardian Contract. This agreement, effective between David & Melinda Poling ( Breeders ) and

Bill of Sale and Contract SAMPLE IDENTIFICATION INFORMATION:

Ladies Kennel Association Of Kenya 52 ND CHAMPIONSHIP DOG SHOW Saturday, 23 rd February And Sunday, 24 th February 2019

PUBLIC SPACES PROTECTION ORDERS DOG CONTROLS CULTURE AND LEISURE (COUNCILLOR PETER BRADBURY)

GUARDIAN CONTRACT. Phone Numbers home cell other

Embracing the Open Pet Pharmaceutical Transition

ABRIDGED SUMMARY OF CATEGORICAL USE OF FORCE INCIDENT AND FINDINGS BY THE LOS ANGELES BOARD OF POLICE COMMISSIONERS

Animal Outcomes by Type From 1/8/2017 to 1/14/2017

Give HOPE for the Holidays

PLEASE NOTE BUILDING HOURS: Open 6am, locked 11pm SECURITY IN BUILDING OVERNIGHT OFFICIAL JUDGING SCHEDULES ATTACHED

An Argument against Breed Specific Legislation

GRANDE PRAIRIE REGIONAL KENNEL CLUB JUNE 23, 24 & 25, 2017

1. How many dogs were stolen in the area covered by your force during the following time periods.

213 Setter, Black & White. 975 Shih-Tzu - Red & White. 978 Staffordshire Bull Terrier Blk & White. 214 Setter, Brown & White

All Natural Gourmet Dog Treats

213 Setter, Black & White. 975 Shih-Tzu - Red & White. 978 Staffordshire Bull Terrier Blk & White. 214 Setter, Brown & White

GENETIC DRIFT Carol Beuchat PhD ( 2013)

Seventeenth Annual Multnomah Service Area Klondike Derby

Numbers will be confirmed with the official judging schedule.

PRINCE ALBERT KENNEL & OBEDIENCE CLUB

Obedience Trial Secretary Duties

NICOLA VALLEY KENNEL CLUB

SATURDAY, NOVEMBER 3, 2018 SUNDAY, NOVEMBER 4, 2018

EDUCATION GUIDE HENRY AND MUDGE. Tuesday, April 10, :30am and 12:30pm

Buyer agrees to purchase a puppy from HermDawg Bullies with the nickname for the purchase price of $

HOW TO ENTER THE TRIATHLON

PNCC Dogs Online. Customer Transactions Manual

D o g s A C T - P r o m o t i n g R e s p o n s i b l e D o g O w n e r s h i p

Dogs of the World. By Camden Mumford

FBDCA Judge s Education Mentor & Presenter Handbook April 3, 2017

FOREST CITY KENNEL CLUB

Millie. Millie is an American Staffordshire Terrier, German Shepherd Dog, Weimaraner Mix. Millie. Dog's name: DR. NEALE FRETWELL.

WEXFORD & DISTRICT CANINE CLUB. Under licence of the Irish Kennel Club. To be held on AT OYLGATE COMMUNITY CENTRE OYLGATE, CO.

New Competition in the Conformation Ring

Today I am here to make two announcements regarding the importation of dogs into Bermuda.

Transcription:

Let s Play Poker: Effort and Software Security Risk Estimation in Software Engineering Laurie Williams williams@csc.ncsu.edu Picture from http://www.thevelvetstore.com 1 Another vote for Everything should be made as simple as possible, but not simpler. --Albert Einstein http://imagecache2.allposters.com/images/pic/c MAG/956-037~Albert-Einstein-Posters.jpg

Two Kinds of Estimation Pictures from http://www.doolwind.com, http://news.cnet.com and http://www.itsablackthang.com/images/art-sports/irving-sinclair-thepoker-game.jpg Estimation How many engineers? How long? Pictures from http://www.doolwind.com, http://news.cnet.com and http://www.itsablackthang.com/images/art-sports/irving-sinclair-thepoker-game.jpg

Estimation What is the security risk? Pictures from http://www.doolwind.com, http://news.cnet.com and http://www.itsablackthang.com/images/art-sports/irving-sinclair-thepoker-game.jpg Estimation Planning Poker Protection Poker Pictures from http://www.doolwind.com, http://news.cnet.com and http://www.itsablackthang.com/images/art-sports/irving-sinclair-thepoker-game.jpg

Effort Estimation: Planning Poker How many engineers? How long? Pictures from http://www.doolwind.com, http://www.legendsofamerica.com/photos-oldwest/faro2-500.jpg Coming up with the plan Desired Features 5 story points/ iteration 30 story points 6 iterations June 10 8

Estimating dog points Estimate each of the dogs below in dog points, assigning each dog a minimum of 1 dog point and a maximum of 10 dog points A dog point represents the height of a dog at the shoulder Labrador retriever Terrier Great Dane Poodle Dachshund German shepherd St. Bernard Bulldog 9 Estimating dog points Estimate each of the dogs below in dog points, assigning each dog a minimum of 1 dog point and a maximum of 10 dog points A dog point represents the height of a dog at the shoulder Labrador retriever Terrier Great Dane Poodle Dachshund German shepherd St. Bernard Bulldog 10

What if? Estimate each of the dogs below in dog points, assigning each dog a minimum of 1 dog point and a maximum of 100 dog points A dog point represents the height of a dog at the shoulder Labrador retriever Terrier Great Dane Poodle Dachshund German shepherd St. Bernard Bulldog Harder or easier? More or less accurate? More or less time consuming? 11 Estimating story points Estimate stories relative to each other Twice as big Half as big Almost but not quite as big A little bit bigger Only values: 0, 1, 2, 3, 5, 8, 13, 20, 40, 100 Near term iteration stories A few iterations away epic 12

Diversity of opinion is essential! Vote based on: Disaggregation Analogy Expert opinion (Subjective) Results of Planning Poker Explicit result (<20%): Effort Estimate Side effects/implicit results (80%+): Greater understanding of requirement Expectation setting Implementation hints High level design/architecture discussion Ownership of estimate

Security Risk Estimation: Protection Poker What is the security risk? http://news.cnet.com and http://swamptour.net/images/st7pokergame1.gif Software Security Risk Assessment via Protection Poker

Computing Security Risk Exposure Traditional Risk Exposure probability of occurrence X impact of loss NIST Security Risk likelihood of threat- X impact of adverse event on Exposure source exercising vulnerability organization difficulty enumeration of adversary types motivation of adversaries Proposed Security ease of attack X value of asset Risk Exposure -To organization -To adversary Ease points Value points Protection Poker Overview Diversity of ideas is healthy, and it lends a creativity and drive to the security field that we must take advantage of. -- Gary McGraw Calibrate value of assets Calibrate ease of attack for requirements Compute security risk (value, ease) of each requirement Security risk ranking and discussion Picture from: http://farm1.static.flickr.com/203/488795952_9007f93c71.jpg

Diversity of devious, attacker thinking is essential! Collaborative threat modeling and misuse case development. Memory Jogger

Security Risk Assessment Ease Requirement Points Value Points Security Risk Ranking Req 1 1 100 100 3 Req 2 5 1 5 6 Req 3 5 1 5 6 Req 4 20 5 100 3 Req 5 13 13 169 2 Req 6 1 40 40 5 Req 7 40 60 2400 1 Sum of asset value (e.g. one 20 and one 40) Protection Poker High Level Overview 1 Calibrate value of database tables 2 Calibrate ease of attack for requirements 3 Compute security risk of requirements 4 Security risk ranking and discussion

Req 1: Emergency Responder Currently the only roles in itrust are licensed health care professional, unlicensed health care professional (a.k.a secretarial support), administrator and patient. The need for another role has arisen: emergency responder (ER). An emergency responder is defined as follows: police, fire, emergency medical technicians (EMTs), and other medically trained emergency responders who provide care while at, or in transport from, the site of an emergency. The only capability provided to an ER is access to an emergency report for a patient which provides basic but important information such as: allergies, blood type, recent short-term term diagnoses, long term, chronic illness diagnoses, prescription history, and immunization history. The patient is sent an email to notify them of the viewing of their records by an emergency responder. Req 2: Find qualified LHCP A patient has just been diagnosed with a condition and wants to find the licensed health care professionals (LHCPs) in the area who have handled that condition. The patient chooses 'My Diagnoses and is presented with a listing of all their own diagnoses, sorted by diagnosis date (more recent first). The patient can select a diagnosis and will be presented with the LHCPs in the patient's living area (based upon the first three numbers of their zip code) who have handled this diagnosis in the last three years. The list is ranked by the quantity of patients the LHCP has treated for that diagnosis (each patient is only counted once regardless of the number of office visits).

Req 3: Update diagnosis code table The American Medical Association has decided that beginning January 1, 2010 all diagnoses must be coded with ICD-10 rather than ICD-9CM. These new codes need to be saved for eventual use by the itrust application. Req 4: View access log A patient can view a listing of the names of licensed health care professionals that viewed or edited their medical records and the date the viewing/editing occurred is displayed.

Step 1: Calibrate value of database tables Which itrust database table would be least attractive to an attacker? Which itrust database table would be most attractive to an attacker? Use your planning poker cards to assign relative point values for the value of each database table, giving a 1 to the least attractive. Circle the database tables in Table 1 and put the value points in the appropriate column. There are your value endpoints for the rest of the exercise. At this time, do not assign a value to all the other tables. Step 2: Calibrate ease of attack for requirements Which requirement adds functionality that will make an attack easiest? Which requirement adds functionality that will make attack hardest? Use your planning poker cards to assign relative point values for the ease of each requirement. Easy to attack: high number Hard to attack: low number Record ease values in Table 3. There are your ease endpoints for the rest of the exercise. At this time, do not assign a value to all the other requirements.

Step 3: Compute security risk of requirements For each requirement: Identify database tables used in that requirement and record in Table 2. For each:» Table already have a value? Use it.» Table doesn t have a value? Poker a value and put it in Tables 1 and 2 Put sum of all database values in Table 3. Poker a value for ease points for each requirement and record in Table 3. Compute security risk in Table 3 by multiplying value by ease. Step 4: Risk Ranking and Discussion Rank your risks. Any surprises? Satisfied with values you gave? What plans would you put in place now that you are more aware of the security risk?

Anticipated Results of Protection Poker Explicit result (20%): Relative security risk assessment Side effects/implicit results (80%): Greater awareness understanding of security implications of requirement Allocation of time to build security into new functionality delivered at end of iteration (appropriate to relative risk) Knowledge sharing and transfer of security information

2024 © petsdocbox.com Privacy Policy | Terms of Service | Feedback