War Games - Teaching difficult security concepts through card games

Security, security, security. Everywhere we look there seems to be a new security breach, poorly developed architecture, and honest mistakes which cost companies millions of dollars. Agile teams often struggle on how and when to do security assessments, how to spend their limited security budget, or understand how to work with non-agile security teams. Wouldn't it be great if there was a way to teach agile teams with little to no security expertise how to understand threats and prevent costly development oversight?

In this workshop, I will introduce Microsoft's open source card game called "Elevation of Privilege". The game is played by software developers, architects, and security engineers as a fun exercise which helps expose security threats and critical design flaws in the software your teams develop. We'll play though a couple of rounds, showing how effortless teaching people core security design concepts is, all while having some fun with your co-workers.

Considering how much more security fixes cost after features have been deployed to production, it makes a lot of sense to shift-left and build security in. We'll show how this game can help engineers adopt security well before it turns into an expensive bug that'll sit in the backlog, causing risk to your users. Let's have some fun!


Outline/Structure of the Workshop

Hi, so here's what I'm thinking about:

- Talk for 30 minutes about agile software development, developing the idea that small investments in your engineers can extend their skill set to address one of the biggest problems we face today as engineers. Introduce the game.

- Spend 10 minutes explaining the rules of the game.

- Spend 40 minutes playing game with a select set of audience members. (Or, we could break apart into groups playing a games if that's more desired.)

- Spend the remainder of the time doing Q&A

Learning Outcome

The core outcome is that I want attendees to realize that security isn't some bleak unknown mystery. In fact, how people secure software with appropriate controls is actually quite easy. Additionally, I want people to understand that you don't need to be a security expert to learn how to secure your software, and we'll do that in a fun, easy to understand way.

Target Audience

Security Engineers, Scrum Masters, Project Managers, Software Developers, Software Architects, Operations Engineers

Prerequisites for Attendees

- Basic understanding of software development would be helpful

- Bring curiosity and questions

schedule Submitted 4 years ago