Shostack + Friends Blog Archive


Elevation of Privilege: Drawing Developers into Threat Modeling

In the holiday spirit I wanted to share an academic-style paper on the Elevation of Privilege Threat Modeling card game (EoP_Whitepaper.pdf) The paper describes the motivation, experience and lessons learned in creating the game.

As we’ve shared the game at conferences, we’ve seen people’s eyes light up at the idea of a game. We think of this as enticement, which is a great compliment to the many other reasons to get involved in secure development. As someone once said, a spoonful of sugar helps the medicine go down.

We think of Elevation of Privilege as an important demonstration that enticing people into secure development lifecycle is possible. We certainly don’t think that it’s the only game that’s possible, and so hope that sharing our experiences will help you understand the game, how to use it, and how to build on it, maybe making a game of your own to help you with challenges you face bringing secure development to your organization.

Download all of the Elevation of Privilege content here:

(Originally appeared on the Microsoft SDL Blog.)