|
|
|
Announcing Elevation of Privilege The Threat Modeling Game |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Présentation : What Adam Shostack here. I m pleased to announce that at RSA this week, Microsoft is releasing Elevation of Privilege, the Threat Modeling Game. Elevation of Privilege is the easiest way to get started threat modeling. EoP is a card game for 3-6 players. Card decks are available at Microsoft s RSA booth, or for download here. The deck contains 74 playing cards in 6 suits one suit for each of the STRIDE threats Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service and Elevation of Privilege . Each card has a more specific threat on it. For example, here s the 5 of Tampering. 5-of-tampering The threat is an attacker can replay data without detection because your code doesn t provide timestamps or sequence numbers. Why Because we want everyone developing software to threat model, and there s no better way to get people to do what you want than to ensure they have fun while doing it. How Everyone in software draws diagrams. From pictures on napkins or whiteboards to DFDs, UML or other formalisms, everyone diagrams. You start with such a diagram ideally, one focused on data flows and deal the cards to 3-6 players. You ll also want to assign someone to take notes. Play starts with the 3 of Tampering. The player with that card reads it out, and explains how the threat on the card An attacker can take advantage of your custom key exchange or integrity control which you built instead of using standard crypto might apply to the system you re building. If they can provide a credible threat, they get a point. A credible threat here is one for which you d file a bug. Play proceeds clockwise until each player has had a chance to play a card. Each player needs to play in suit if they have a card in suit. When each player has played, the highest numbered card played wins. Ace is high The player who won gets a point for the hand, and gets to lead the next hand, including picking the suit that leads that next hand. If a player doesn t have a card in the hand that was lead, they may play any card. Elevation of Privilege cards are trumps that beat any other suit. Only the suit lead or Elevation of Privilege can win the hand. When you re done all the cards have been played , count up the points, give the winner a pat on the back, and have someone file bugs. That may seem a little complex, but it s pretty simple when you have cards in hand. There s a video of me explaining the game here and of people playing on the launch page. There s also a strategy card in the deck with a flowchart to help you decide what card to play. When Right now If you re at RSA, come by the Microsoft booth, or download the cards here Who If you re developing software, this is for you. We d love to hear your feedback here, we d love for you to blog about it, but most of all we d love for you to play Elevation of Privilege. Once you have, we d also like you to play with the idea of serious games for threat modeling and security. To help you get started, we re making Elevation of Privilege available under a Creative Commons Attribution license which gives you freedom to share, adapt and remix the game. Acknowledgements I want to thank Austin Hill of Akoha for introducing me to the wide field of serious games see http www.seriousgames.org or http en.wikipedia.org wiki Serious_game for some more on the broad concept , and Laurie Williams of North Carolina State University for designing Protection Poker, which inspired me to design Elevation of Privilege.
Les derniers articles du site "The Security Development Lifecycle" :
- Visual C 2010 and Improved SAL Support
- New BSIMM report released...
- Do what Microsoft did, not what they do.
- Community and Collaboration
- Now available Microsoft SDL version 5
- Survey Results Microsoft SDL awareness on the rise
- Using Fortify Solutions for a Microsoft SDL Implementation
- Telling their SDL stories IE8 and Office 2007
- Announcing Elevation of Privilege The Threat Modeling Game
- SDL and the New End to End Trust Site
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.191.75.173 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.191.75.173 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
