Abstract
Secure software development represents a fundamental part of ‘security by design’ which in turn is a prerequisite for ‘privacy by design’ in the terminology of GDPR (General Data Protection Regulation). To follow and adhere to the principles of privacy by design and security by design during software development is a legal requirement throughout Europe with the introduction of GDPR in 2018. Secure software development is typically based on specific methods that software-design teams apply to discover and solve security threats and thereby to improve the security of systems in general. This paper describes Threat Poker as a team-based method to be exercised during agile software development for assessing both security risk and privacy risk, and for evaluating the effort needed to remove corresponding vulnerabilities in the developed software.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Azham, Z., Ghani, I., Ithnin, N.: Security backlog in Scrum security practices. Technical report, Universiti Teknologi Malaysia (2011)
Beck, K., et al.: Principles behind the Agile Manifesto (2001). http://agilemanifesto.org/iso/en/principles.html
Microsoft Corporation: SDL: Microsoft Security Development Lifecycle, Version 4.1 (2009)
Microsoft Corporation: Security Development Lifecycle for Agile Development, Ver. 1.0, 30 June 2009. https://www.microsoft.com/en-us/SDL/Discover/sdlagile.aspx
Grenning, J.: Planning Poker or How to avoid analysis paralysis while release planning. Technical report, Wingman Software (2002)
Harris, S., Maymí, F.: CISSP All-in-One Exam Guide, 7th edn. McGraw-Hill, New York (2016)
Kissel, R., et al.: Security considerations in the system development life cycle - NIST Special Publication 800–64, Rev. 2. Technical report, National Institute of Standards and Technology, October 2008
Mohammed, N., Munassar, A., Govardhan, A.: A comparison between five models of software engineering. Int. J. Comput. Sci. Issues (IJCSI) 7(5) (2010)
OWASP: ASVS - Application Security Verification Standard v.3.0.1 2016 (2016)
Pohl, C., Hof, H.-J.: Secure Scrum: development of secure software with Scrum. Technical report, Munich University of Applied Sciences (2015)
QASymphony: Agile Methodology: The Complete Guide to Understanding Agile Testing (2017). https://www.qasymphony.com/blog/agile-methodology-guide-agile-testing/
Schwaber, K., Sutherland, J.: The Scrum Guide (2017)
Shipley, G., Meneely, A., Williams, L.: Protection Poker: the new software security “Game”. IEEE Secur. Priv. 8, 14–20 (2010)
Shostack, A.: Elevation of Privilege: Drawing Developers into Threat Modeling (2012). https://www.microsoft.com/en-us/download/details.aspx?id=20303
Shostack, A.: Threat Modeling: Designing for Security, 1st edn. Wiley Publishing, Indianapolis (2014)
VersionOne: Agile 101 General Learnings. https://www.versionone.com/agile-101/
Wichers, D.: Breaking the waterfall mindset of the security industry. In: OWASP AppSec USA, New York (2008)
Williams, L., Meneely, A.: Protection Poker: the new software security “Game”. Technical report, North Carolina State University (2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Rygge, H., Jøsang, A. (2018). Threat Poker: Solving Security and Privacy Threats in Agile Software Development. In: Gruschka, N. (eds) Secure IT Systems. NordSec 2018. Lecture Notes in Computer Science(), vol 11252. Springer, Cham. https://doi.org/10.1007/978-3-030-03638-6_29
Download citation
DOI: https://doi.org/10.1007/978-3-030-03638-6_29
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-03637-9
Online ISBN: 978-3-030-03638-6
eBook Packages: Computer ScienceComputer Science (R0)