Listening to Gary McGraw’s Silver Bullet #33, Laurie William mentioned protection poker.
Protection poker, like planning poker isn’t really poker. Planning poker is a planning exercise, designed to avoid certain common pitfalls of other approaches to planning. The idea behind protection poker is to be a “informal form of misuse case development and threat modeling that plays off the diversity of knowledge and perspectives of the participants.”
I really like informal approaches to threat modeling, especially where there’s a somewhat knowledgeable group of players. (The draft title of this was “putting the fun back in threat modeling.”) Most people have some informal thoughts about what might go wrong with a system they’re building. This sense is probably strongest with those with the right orientation (“security mindedness”) but it can be enhanced with either training or a methodology. Yoshi Kohno is working on teaching the orientation. To the extent that we can better extract implicit knowledge, or make the training or process more fun, we’ll get more secure systems.
There’s a tutorial, and a paper, Williams, L., Gegick, M., and Meneely, A., Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer, International Symposium on Engineering Secure Software and Systems (ESSoS) 2009, Leuven, Belgium.