Issue No.03 - May/June (2010 vol.8)
Andrew Meneely , North Carolina State University
Laurie Williams , North Carolina State University
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2010.58
Tracking organizations such as the US CERT show a continuing rise in security vulnerabilities in software. But not all discovered vulnerabilities are equal—some could cause much more damage to organizations and individuals than others. In the inevitable absence of infinite resources, software development teams must prioritize security fortification efforts to prevent the most damaging attacks. Protection Poker is a collaborative means of guiding this prioritization. A case study of a Red Hat IT software maintenance team demonstrates Protection Poker's potential for improving software security practices and team software security knowledge.
protection mechanisms, management, measurement, documentation, design, security, verification, security, risk assessment, risk estimation, Delphi estimation, Wideband Delphi estimation
Andrew Meneely, Laurie Williams, "Protection Poker: The New Software Security "Game";", IEEE Security & Privacy, vol.8, no. 3, pp. 14-20, May/June 2010, doi:10.1109/MSP.2010.58