Security by Stealth and Elevation of Privilege by Gwen Diagram at the Play Secure Conference

Simon Gibbs, 23rd March 2021

This Friday the wonderful Gwen Diagram, who we last worked with at Leeds Digital Festival, is speaking on a topic at the intersection of frivolous fun and serious good sense, at the Play Secure Conference. She will be retelling her story of delivering a security program for a major gaming company, using a card deck built on years of curated cybersecurity experiences, and Spades.

Every developer knows that security is an important feature in what they build, and consider it a part of their craft, but it is sometimes a part of the craft that is neglected and difficult to manage. Why is this?

"Security isn’t always the most fun for development teams to think about. It’s complex and something that isn’t brought to mind when considering requirements. Too often, it is neglected by teams and left to the end for penetration testers to consider," said Gwen.

At Agile Stationery we regularly hear about the dynamics of situations where security is left to the end. Developers have to explain the application to an unfamiliar team of pen testers, who have not been on the same creative journey as them. They don't understand the application. They don't feel the same way about getting it into production and their timelines are often in conflict. Pen testers just want a bit of time to do a good job but when go-live is in a week's time, a two week penetration test is bad news for everybody.

"But, it doesn’t have to be," Gwen claims. "Security can be considered early in the development cycle. [the question is how] can we encourage this behaviour? How can you get development teams interested?"

Getting developers on board with threat modelling is key. It allows security to evolve with the application. The people involved travel the same road over a longer period. Security is baked into the design while it is still on the whiteboard, meaning less rework to the implementation. Getting the extra people involved also means more detailed knowledge, more perspectives, and more minds working faster on the problem. Faster work can mean security work is done at the same cadence as feature work, matching sprint cycles, for example, and leading to less disruption.

Threat modelling is modelling a system and finding where it is vulnerable. The first steps are understanding what you are working on, perhaps by creating an architecture diagram or flow chart, and identifying what could go wrong. Developers spend most of their time trying to discover how to make things go right. Asking them to think like an attacker is no easy task. Getting them into this mind-set is easier with examples, and the card deck brings the examples.

Elevation of Privilege is a card-game based on Spades. The cards in the game represent threats that have caused suffering for developers, and organisations, in the past. The threats were first collected in 2010 at Microsoft based on cyber security research from a much longer period. They are arranged into suits according to the STRIDE mnemonic, itself developed by Microsoft, to clarify and classify the full range of possible security harms, from Information Disclosure to Denial of Service and the titular trump suit Elevation of Privilege (when an attacker raises their permission levels).

Presenting the examples as a game creates a safe, although sometimes competitive, space. Failure is just a part of the game, and success is rewarded. Players can relax and often slip into a very collaborative and productive mode of gameplay. They are "in the zone" and churning out identified threats.

When Gwen brought the game to Sky it was a great success. Gwen explains that "this lead to further workshops which included the basics of threat modelling using STRIDE to the complexity of automated checks. Security at Sky became not only fun but cool".

Enthusiasm for security spread through the organisation by stealth with little budget and plenty of buy in.

You can hear about her cybersecurity journey at the Play Secure conference this Friday at 12:10.
Tickets are still available at 20% off with discount code AGILE.