Issue No.03 - May/June (2010 vol.8)
Laurie Williams , North Carolina State University
Andrew Meneely , North Carolina State University
Grant Shipley , Red Hat
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2010.58
Tracking organizations such as the US CERT show a continuing rise in security vulnerabilities in software. But not all discovered vulnerabilities are equal—some could cause much more damage to organizations and individuals than others. In the inevitable absence of infinite resources, software development teams must prioritize security fortification efforts to prevent the most damaging attacks. Protection Poker is a collaborative means of guiding this prioritization. A case study of a Red Hat IT software maintenance team demonstrates Protection Poker's potential for improving software security practices and team software security knowledge.
protection mechanisms, management, measurement, documentation, design, security, verification, security, risk assessment, risk estimation, Delphi estimation, Wideband Delphi estimation
Laurie Williams, Andrew Meneely, Grant Shipley, "Protection Poker: The New Software Security "Game";", IEEE Security & Privacy, vol.8, no. 3, pp. 14-20, May/June 2010, doi:10.1109/MSP.2010.58