Threat Modeling through the Medium of Playing Cards
This one gets 10 for effort! At RSA in San Francisco this week, Microsoft released the new threat modeling card game, Elevation of Privilege.
Designed for 3-6 players by the SDL's Adam Shostack, who writes about it here, the game comprises a deck of playing cards and a score sheet. To play, you'll also need an initial (preferably, data flow centric) diagram of a system that you're trying to implement in a security- and privacy-preserving fashion.
There are 74 cards in the deck, divided into six "suits" - one for each threat classification in STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (most suits run 2,3,...,J,Q,K,A but there is no 2 of Tampering, and the EoP "trump" suit starts at 5, hence 74 cards rather than 78).
All cards are dealt out, and the player holding the 3 of Tampering starts the game by showing this card, and explaining how the threat on the card ("An attacker can take advantage of your custom key exchange or integrity control which you built instead of using standard crypto") might apply to the developing system. A credible threat (one you'd file a bug for) gets a point, and is recorded on the score sheet.
Play proceeds thus clockwise, in suit where possible, until everyone has played one card, and the highest lead or trump (EoP) card played wins that hand. The winning player starts the next hand, and may do so with any card. When all hands are played, the winner gets to choose who will log all the bugs on the score sheet!
Elevation of Privilege is released under a Creative Commons Attribution license, meaning you can share, adapt and remix it as you like. The full deck of card images, including instructions, strategy cards (yay! flowcharts!) and threat summaries, can be downloaded (6MB PDF) here, and the score sheet (356K PDF) here. Finally there is a video of Adam explaining the game, and also of people playing it, on the launch page.
Apparently Microsoft are actually giving out real, physical card decks right now, or will be when the sun comes back up, at RSA in San Francisco. This raises two questions for me. Will they be doing the same at RSA Europe, in London's Hilton Metropole this October 12-14? And if so, could my security blog qualify me as my employer's card-carrying delegate? ;)