This Article 
 Bibliographic References 
 Add to: 
Protection Poker: The New Software Security "Game";
May/June 2010 (vol. 8 no. 3)
pp. 14-20
Laurie Williams, North Carolina State University
Andrew Meneely, North Carolina State University
Grant Shipley, Red Hat
Tracking organizations such as the US CERT show a continuing rise in security vulnerabilities in software. But not all discovered vulnerabilities are equal—some could cause much more damage to organizations and individuals than others. In the inevitable absence of infinite resources, software development teams must prioritize security fortification efforts to prevent the most damaging attacks. Protection Poker is a collaborative means of guiding this prioritization. A case study of a Red Hat IT software maintenance team demonstrates Protection Poker's potential for improving software security practices and team software security knowledge.

1. L. Williams, M. Gegick, and A. Meneely, "Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer," Proc. Int'l Symp. Engineering Secure Software and Systems ( ESSoS 09), Springer-Verlag, 2009, pp. 122–134.
2. I. Alexander, "On Abstraction in Scenarios," Requirements Eng., vol. 6, no. 4, 2002, pp. 252–255.
3. M. Howard and S. Lipner, The Security Development Lifecycle, Microsoft Press, 2006.
4. G. Stoneburner, A. Goguen, and A. Feringa, "NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems," Nat'l Inst. Standards and Technology, #800-30, July 2002.
5. M. Cohn, Agile Estimating and Planning, Prentice-Hall, 2006.
6. K. Schwaber and M. Beedle, Agile Software Development with SCRUM, Prentice-Hall, 2002.
7. B. Boehm, Software Risk Management, IEEE CS Press, 1989.
8. G. McGraw, Software Security: Building Security In, Addison-Wesley, 2006.
9. N.C. Haugen, "An Empirical Study of Using Planning Poker for User Story Estimation," Proc. Agile 2006, 2006, p. 9 (electronic proceedings).
10. K. Mol⊘kken-Østvold and N.C. Haugen, "Combining Estimates with Planning Poker—An Empirical Study," Australian Software Eng. Conf. (ASWEC 07), Elsevier Science, 2007, pp. 349–358.

Index Terms:
protection mechanisms, management, measurement, documentation, design, security, verification, security, risk assessment, risk estimation, Delphi estimation, Wideband Delphi estimation
Laurie Williams, Andrew Meneely, Grant Shipley, "Protection Poker: The New Software Security "Game";," IEEE Security & Privacy, vol. 8, no. 3, pp. 14-20, May-June 2010, doi:10.1109/MSP.2010.58
Usage of this product signifies your acceptance of the Terms of Use.