Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer

  • Laurie Williams
  • Michael Gegick
  • Andrew Meneely
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5429)


Discovery of security vulnerabilities is on the rise. As a result, software development teams must place a higher priority on preventing the injection of vulnerabilities in software as it is developed. Because the focus on software security has increased only recently, software development teams often do not have expertise in techniques for identifying security risk, understanding the impact of a vulnerability, or knowing the best mitigation strategy. We propose the Protection Poker activity as a collaborative and informal form of misuse case development and threat modeling that plays off the diversity of knowledge and perspective of the participants. An excellent outcome of Protection Poker is that security knowledge passed around the team. Students in an advanced undergraduate software engineering course at North Carolina State University participated in a Protection Poker session conducted as a laboratory exercise. Students actively shared misuse cases, threat models, and their limited software security expertise as they discussed vulnerabilities in their course project. We observed students relating vulnerabilities to the business impacts of the system. Protection Poker lead to a more effective software security learning experience than in prior semesters. A pilot of the use of Protection Poker with an industrial partner began in October 2008. The first security discussion structured via Protection Poker caused two requirements to be revised for added security fortification; led to the immediate identification of one vulnerability in the system; initiated a meeting on the prioritization of security defects; and instigated a call for an education session on preventing cross site scripting vulnerabilities.


Software security Wideband Delphi Protection Poker Planning Poker 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alexander, I.: On Abstraction in Scenarios. Requirements Engineering 6(4), 252–255 (2002)CrossRefzbMATHGoogle Scholar
  2. 2.
    Beck, K.: Extreme Programming Explained: Embrace Change, 2nd edn. Addison-Wesley, Reading (2005)Google Scholar
  3. 3.
    Boehm, B.: Software Risk Management. IEEE Computer Society Press, Washington (1989)CrossRefGoogle Scholar
  4. 4.
    Boehm, B., Abts, C., Chulani, S.: Software development cost estimation approaches — A survey. Annals of Software Engineering 10(1-4), 177–205 (2000)CrossRefzbMATHGoogle Scholar
  5. 5.
    Boehm, B.W.: Software Engineering Economics. Prentice-Hall, Inc., Englewood Cliffs (1981)zbMATHGoogle Scholar
  6. 6.
    Cockburn, A.: Agile Software Development. Addison Wesley Longman, Reading (2001)zbMATHGoogle Scholar
  7. 7.
    Cohn, M.: Agile Estimating and Planning. Prentice Hall, Upper Saddle River (2006)Google Scholar
  8. 8.
    Grenning, J.: Planning Poker or How to avoid analysis paralysis while release planning (2002) (accessed on February 26, 2008),
  9. 9.
    Gupta, U.G., Clarke, R.E.: Theory and Applications of the Delphi Technique: A bibliography (1975-1994). Technological Forecasting and Social Change 53, 185–211 (1996)Google Scholar
  10. 10.
    Haugen, N.C.: An empirical study of using planning poker for user story estimation, in Agile 2006, Minneapolis, MN, 9 pages (electronic proceedings) (2006)Google Scholar
  11. 11.
    Howard, M., LeBlanc, D.: Writing Secure Code. Microsoft Press, Redmond (2003)Google Scholar
  12. 12.
    Howard, M., Lipner, S.: The Security Development Lifecycle. Microsoft Press, Redmond (2006)Google Scholar
  13. 13.
    Krsul, I.: Software Vulnerability Analysis, in Computer Science. vol. PhD West Lafayette: Purdue University (1998)Google Scholar
  14. 14.
    McGraw, G.: Building Secure Software. Addison Wesley, Boston (2002)Google Scholar
  15. 15.
    McGraw, G.: Software Security: Building Security. Addison-Wesley, Upper Saddle River (2006)Google Scholar
  16. 16.
    Moløkken-Østvold, K., Haugen, N.C.: Combining Estimates with Planning Poker – An Empirical Study. In: Australian Software Engineering Conference (ASWEC 2007), Melbourne, Australia, pp. 349–358 (2007)Google Scholar
  17. 17.
    Musa, J.D.: Software Reliability Engineering: More Reliable Software Faster and Cheaper, 2nd edn. Authorhouse, Indiana (2004)Google Scholar
  18. 18.
    Oblinger, D., Oblinger, J.: Educating the Net Generation. Educause, Boulder (2005)Google Scholar
  19. 19.
    Stoneburner, G., Goguen, A., Feringa, A.: NIST Special Publication 800-30: Risk Management Guide for Information Technology Syste (July 2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Laurie Williams
    • 1
  • Michael Gegick
    • 1
  • Andrew Meneely
    • 1
  1. 1.Department of Computer ScienceNorth Carolina State UniversityUSA

Personalised recommendations