Software security is about creating software that keeps performing as intended even when exposed to an active attacker. However, it is impossible to prevent all security flaws and vulnerabilities, since you will always have limited resources, in terms of time, money, and/or expertise. It is thus most important to prevent, detect and remove flaws and vulnerabilities with high risk, i.e., those that can easily be exploited by attackers, and that may impact important assets. Protection Poker is a tool for risk estimation to be used as part of the sprint planning meeting, in order to identify the features in the current sprint that represent the highest security risk, and that thus may need additional attention to software security and/or functional security requirements. An important side-effect of playing Protection Poker is a general raising of security awareness within the development team.

Protection Poker is meant to played by the whole team, and for each feature at least two rounds will be played: Once to determine the value of each asset the feature/requirement "touches", and once to determine the exposure of the feature. We define exposure as the extent to which the feature (when implemented) increases the attack surface of the system, what type of assets are made available through the feature, and to what extent it requires special competence to exploit the feature.

This talk will explain the basics of Protection Poker, and explain how it can be played. Participants will then get a chance to play Protection Poker themselves, on an artificial case. Protection poker cards will be provided for all participants.

The slides can be found here: https://sec4dev.io/assets/uploads/slides/sec4dev-2019-Martin-Gilje-Jaatun-Protection-Poker.pdf

More information can be found at https://www.sintef.no/protection-poker