Shostack + Friends Blog Archive

 

Do Games Teach Security?

There’s a new paper from Mark Thompson and Hassan Takabi of the University of North Texas. The title captures the question: Effectiveness Of Using Card Games To Teach Threat Modeling For Secure Web Application Developments Gamification of classroom assignments and online tools has grown significantly in recent years. There have been a number of card […]

 

Elevation of Privilege: Drawing Developers into Threat Modeling

In the holiday spirit I wanted to share an academic-style paper on the Elevation of Privilege Threat Modeling card game (EoP_Whitepaper.pdf) The paper describes the motivation, experience and lessons learned in creating the game. As we’ve shared the game at conferences, we’ve seen people’s eyes light up at the idea of a game. We think […]

 

Control-Alt-Hack: Now available from Amazon!

Amazon now has copies of Control Alt Hack, the card game that I helped Tammy Denning and Yoshi Kohno create. Complimentary copies for academics and those who won copies at Blackhat are en route. From the website: Control-Alt-Hackā„¢ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve […]

 

Now Available: Control Alt Hack!

Amazon now has copies of Control Alt Hack, the card game that I helped Tammy Denning and Yoshi Kohno create. Complimentary copies for academics and those who won copies at Blackhat are en route. From the website: Control-Alt-Hack™ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve […]

 

Please Kickstart Elevation of Privilege

Jan-Tilo Kirchhoff asked on Twitter for a printer (ideally in Germany) to print up some Elevation of Privilege card sets. Deb Richardson then suggested Kickstarter. I wanted to comment, but this doesn’t fit in a tweet, so I’ll do it here. I would be totally excited for someone to Kickstarter production of Elevation of Privilege. […]

 

Threat Modeling and Risk Assessment

Yesterday, I got into a bit of a back and forth with Wendy Nather on threat modeling and the role of risk management, and I wanted to respond more fully. So first, what was said: (Wendy) As much as I love Elevation of Privilege, I don’t think any threat modeling is complete without considering probability […]

 

Elevation of Privilege (Web Edition) Question

Someone wrote to me to ask: A few cards are not straightforward to apply to a webapp situation (some seem assume a proprietary client) – do you recommend discarding them or perhaps you thought of a way to rephrase them somehow? For example: “An attacker can make a client unavailable or unusable but the problem […]

 

Black Hat Slides

My talk at Black Hat this year was “Elevation of Privilege, the Easy Way to Get Started Threat Modeling.” I covered the game, why it works and where games work. The link will take you to the PPTX deck.

 

Hacker Hide and Seek

Core Security Ariel Waissbein has been building security games for a while now. He was They were kind enough to send a copy of his their “Exploit” game after I released Elevation of Privilege. [Update: I had confused Ariel Futoransky and Ariel Waissbein, because Waissbein wrote the blog post. Sorry!] At Defcon, he and his […]