War Games - Teaching difficult security concepts through card games
Security, security, security. Everywhere we look there seems to be a new security breach, poorly developed architecture, and honest mistakes which cost companies millions of dollars. Agile teams often struggle on how and when to do security assessments, how to spend their limited security budget, or understand how to work with non-agile security teams. Wouldn't it be great if there was a way to teach agile teams with little to no security expertise how to understand threats and prevent costly development oversight?
In this workshop, I will introduce Microsoft's open source card game called "Elevation of Privilege". The game is played by software developers, architects, and security engineers as a fun exercise which helps expose security threats and critical design flaws in the software your teams develop. We'll play though a couple of rounds, showing how effortless teaching people core security design concepts is, all while having some fun with your co-workers.
Considering how much more security fixes cost after features have been deployed to production, it makes a lot of sense to shift-left and build security in. We'll show how this game can help engineers adopt security well before it turns into an expensive bug that'll sit in the backlog, causing risk to your users. Let's have some fun!
Outline/Structure of the Workshop
Hi, so here's what I'm thinking about:
- Talk for 30 minutes about agile software development, developing the idea that small investments in your engineers can extend their skill set to address one of the biggest problems we face today as engineers. Introduce the game.
- Spend 10 minutes explaining the rules of the game.
- Spend 40 minutes playing game with a select set of audience members. (Or, we could break apart into groups playing a games if that's more desired.)
- Spend the remainder of the time doing Q&A
Learning Outcome
The core outcome is that I want attendees to realize that security isn't some bleak unknown mystery. In fact, how people secure software with appropriate controls is actually quite easy. Additionally, I want people to understand that you don't need to be a security expert to learn how to secure your software, and we'll do that in a fun, easy to understand way.
Target Audience
Security Engineers, Scrum Masters, Project Managers, Software Developers, Software Architects, Operations Engineers
Prerequisites for Attendees
- Basic understanding of software development would be helpful
- Bring curiosity and questions
Links
Elevation of priviledge: How to draw developers into threat modeling: https://www.usenix.org/node/184967
schedule Submitted 4 years ago
Recent Activities
Call for Proposals CLOSED
Ended on Feb 11 '19 03:00 PM EST
Session Lengths
The conference program features several session lengths for submitters to choose from when submitting their session:
- Deep Dive (180 minute session with a 15 minute break) – The program offers a limited number of Deep Dive sessions to allow for in-depth exploration and/or experience with a related topic.
- Workshop (90 minutes) – Most of the conference program is allocated into 90 minute sessions that allow for hands-on facilitation, demonstrating, and debriefing of a game or activity supportive of the conference objective.
- Fast Games (20 minutes) – We offer several short time slots that focus on fast games (games that can be played and debriefed in ~15 minutes or less) – these fast games sessions are intended to play / facilitate a specific activity or game without going into the details / concepts upon which the game is based.
Matt Carlson
Ram Srinivasan
Marty Bakal
Shahin Sheidaei
Alexis Monville
