My shopping cart
Your cart is currently empty.Continue Shopping
Simon Gibbs 23 September 2020
Grant Ongers was joined by an array of experts (Adam Shostack, Stuart Gunter, Tash Norris & Nina Alli) on Cyber Security to discuss the gamification of cyber security in Agile development contexts at an event organised by Equal Experts yesterday evening.
Grant explained that the traditional waterfall approach provides a long-duration window at the beginning of a project to design security into systems, with remediation of unexpected flaws often delayed until the system is in production. This long window allows time to meticulous pre-planning and design review by specialists. In contrast, agile methods provide multiple short windows for design input in addition to continuous feedback and measurement opportunities.
Grant explained that a traditional review of a system design would not be appropriate in an agile context as design documents are likely to be incomplete and the process might take too long. Cybersecurity professionals who don't adapt their methods are doomed to become a deployment bottleneck, causing tension and conflict, or the omission of security work.
Gamification was proposed as way to scale and realign the threat modeling function by allowing developers with up to date system knowledge to get involved in frequent threat modeling sessions.
Grant used a portion of this video to explain the game mechanics, before explaining the value of the game:
The OWASP Cornucopia game, a variation of Elevation of Privilege, was proposed as a gaming deck that is written in language accessible to developers. Adam Shostack, the inventor of EoP, was also on hand to point out that even smaller threat modeling exercises are possible based on a "4 question" strategy, without using a game.
Developers should expect to perform threat modeling during the "grooming" activity, before a Scrum sprint and before stories are pulled into implementation in a kanban context.
We were grateful that Grant's talk mentioned our deck and the Croupier tool for dealing random hands. We (obviously) agree that retaining a random element to the card dealing is a really important part of the gameplay. The random element is regrettably absent from other models of remote Elevation of Privilege facilitation.
We challenged the panel with a few questions:
This is the phase of play where a threat is discussed and shown to be viable in the system under review. The panel explained that much of the value of the game was to start focused conversations about technical problems that would not otherwise occur.
If developers could not agree on whether a system was vulnerable, or a threat had been mitigated, then getting to the bottom of that is useful work. If work is needed to rediscover or to measure the state of the system then this work could be planned in before knowledge gaps become a problem. This ensures the team is up to date, makes effort more visible and helps identify threats.
This question arose from an offline conversation with Grant Ongers. Grant passionately favours allowing teams to cheat in the gaming aspects of the exercise. Our decks are less-suited to cheating as you can spot the suits in another player's hand.
Two cheating options were discussed:
Nina Alli, the medical device expert on the panel, suggested that there was possibly a suit of threats around human factors, including factors arising from or involving patients themselves. Adam Shostack joked that Nina would be dragged into producing a medical devices version of the game, which actually everyone quite liked the sound of! Watch this space!
Nina made some further remarks about the fact that in a hospital there is no safe sandbox environment where threat models can be experimented with. The hospital itself, with the humans inside, was effectively the sandbox environment for certain kinds of threat.
A pseudonymous contributor asked:
The panel seemed to be quite skeptical about the role of automation, preferring scrutiny by creative human minds. Grant suggested, as we have done in the past, that if the ratio is too big then in fact gamification offers a lightweight and compelling means to draw additional minds into the threat modeling effort and compensate for staffing imbalances.
Overall this was an excellent session from Grant Ongers and the panel, as well as a slick presentation from Equal Experts.