Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Adam Shostack here. I’m pleased to announce that at RSA this week, Microsoft is releasing Elevation of Privilege, the Threat Modeling Game. Elevation of Privilege is the easiest way to get started threat modeling. EoP is a card game for 3-6 players. Card decks are available at Microsoft’s RSA booth, or for download here. The deck contains 74 playing cards in 6 suits: one suit for each of the STRIDE threats (Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service and Elevation of Privilege). Each card has a more specific threat on it. For example, here’s the 5 of Tampering.
The threat is “an attacker can replay data without detection because your code doesn’t provide timestamps or sequence numbers.”
Because we want everyone developing software to threat model, and there’s no better way to get people to do what you want than to ensure they have fun while doing it.
Everyone in software draws diagrams. From pictures on napkins or whiteboards to DFDs, UML or other formalisms, everyone diagrams.
When you’re done (all the cards have been played), count up the points, give the winner a pat on the back, and have someone file bugs.
That may seem a little complex, but it’s pretty simple when you have cards in hand. There’s a video of me explaining the game here and of people playing on the launch page. There’s also a strategy card in the deck with a flowchart to help you decide what card to play.
Right now! If you’re at RSA, come by the Microsoft booth, or download the cards here
If you’re developing software, this is for you. We’d love to hear your feedback here, we’d love for you to blog about it, but most of all we’d love for you to play Elevation of Privilege.
Once you have, we’d also like you to play with the idea of serious games for threat modeling and security. To help you get started, we’re making Elevation of Privilege available under a Creative Commons Attribution license which gives you freedom to share, adapt and remix the game.
I want to thank Austin Hill of Akoha for introducing me to the wide field of serious games (see http://www.seriousgames.org/ or http://en.wikipedia.org/wiki/Serious_game for some more on the broad concept), and Laurie Williams of North Carolina State University for designing “Protection Poker,” which inspired me to design Elevation of Privilege.
I'm a brazilian security analist, and a great fan of the game Elevation of Privilege! But I would like to translate it to my own language. Is there a way to do it? Thanks a lot!
Hello Carlos - thanks for your interest in translating the game into your language. We have uploaded the native files for the EoP card game at www.microsoft.com/.../details.aspx for users to download and modify per their own needs.
Hello Adam Shostack and The SDL Team!
I've been a fan of Elevation of Privilege game since I first heard about it over a year ago, in May 2010. I didn't realize it was available under Creative Commons License 3.0 until now. That is great! I've had many ideas about adapting and sharing the game, but never did due to licensing concerns.
While I realize that Microsoft kindly makes the game available via download, I wondered: Might I buy or work for an actual deck of cards, like those distributed originally at Microsoft's RSA booth in March 2010? Any info would be appreciated.
Hi EllieK - thanks for your interest in the Elevation of Privilege Card Game. We are currently not offering Elevation of Privilege Card Games for purchase.
However, as the license (creativecommons.org/.../us) under which the card game was released allows anyone to create card decks and sell them for a profit, feel free to create some yourself and sell them if you think others might be interested in purchasing them.
The native files of the game are available for download at: www.microsoft.com/.../details.aspx