Games as a tool for securing your apps- Johan Sydseter

having fun. >> Yes. >> I didn't hear you. Like that was >> Yes. >> Oh, I like that one. >> Okay. I took over from Emila now because I actually know you are >> and a couple of other faces on here. So, I said I wanted to introduce him, but I see he's already bought. He's got fancy patterns, which I was afraid was going to bring. Uh, so that's going to be fun. But I want to introduce you on sit set. Thank you. >> Did I get it right? >> What? Yes. >> No. I feel like you're lying. >> But he is someone that does gamification specifically around threat modeling. Now, cornucopia is something that is

immensely useful for developers cuz I always know threat teams are great, but when you turn a developer evil and you put them into how would you break into your system, you see this beauty unfold. They're the most evil hackers, let me tell you. Cuz I've played cornucopia with a few people. But I met Johannes Festival last year. We had such a good conversation. But he's going to tell you guys all about games as a tool. So you floor is yours. >> Thank you very much. And I'm so happy to be here at the first B size ever in Christ. How exciting. Yes. And as Veronica said, I'm Yuan Sit and I'm the co-leader of a project called Oasopia

together with these guys Colin and Grant. And before I start, I want you to try to remember this sentence. On a scale from 1 to 10, what's your favorite flavor of random grammar? On a scale from 1 to 10, what's your favorite flavor of random grammar? And if you can remember this sentence at the end of my presentation, you may win this Ovas Konopia card deck. Woohoo. So, um I would like to introduce to you a game called Oasonopia. Obasonopia is a threat molding tool in a form of a card game to assist software developers um identify security requirements in agile, conventional, and formal development processes. And as you all know, threat modeling is a process for

identifying security weaknesses in our software. We can also do it before we build our software, but and therefore ensuring that we're implementing our application security by design and instead of doing it by accident. The card consists of 80 cards plus two jokers, each representing an attack. And we have six suites covering five categories in total. And the categories are authentication, who we are, authorization, gold, what we can do, session management, the period between verifying these two, cryptography encryption hashing obuscation, gray, data validation and encoding, understanding trust boundaries and boundaries and validating across them. And finally the dark blue suit cornia which is the trump suit in this deck. And uh each suit is built up just like a

normal card deck. So ranging from two to ace. The lower the card the less likely the uh the attack is uh supposed to be um uh valid according to your threat model. The higher the card, the more severe the threat becomes. And the aces function a little bit like jokers in that you have to come up with your own threats and attacks in order to make a valid point. Before the game starts, the players has to present this high level diagram of the feature that they are building. And this diagram will then be annotated during the game. In order to score points, you have to play one of your uh one of your cards and uh argue

that the attack on the card is a potential threat according to the feature that you're building. And if the other players agree that it is the case, then you score a point. And the highest applicable attack that is played during the round get an additional point. And each of the attacks are noted down on these score sheets together with any tasks that you need to mitigate it in order to that you need to do in order to mitigate against the next match. And these tasks then become backlog items that needs to be completed during the next sprint in order to complete your epic epic and satisfy the definition of dollar. And the winner of the game is the player

with the highest score uh highest score uh after the threat modeling session is over. When I mention to people that I use a game for threat molding and security design, I get a lot of surprised reactions. How can you do use a game for security design and threat molding? And they would be partly right. Yes. Uh was pay as a game but it's also possible to use it in a professional context. When we at admin control did our did our um ISO 27,0001 audit back in 2022 we had just started to use OASON and I was called into the audit to talk about how we do application security threat modeling and secure design and as I came into the no uh room I

noticed that some of my colleagues was a bit shaking bit nervous and that's very understandable because when we don't want to come up as ignorant or stupid in the meeting when we're talking about application security. And that goes for me as well. The last thing I want is to make a fool fool out of myself. So, but there are worse things that you can do than not being taken seriously. And by the way, we really nailed that threading session. Before we started to use Oasconia, I invited all our security champions for what was going to be the first threating session that we had that admin control and uh we had prepared ourselves very well. We had uh we had uh created a high

level diagram of what we're going to thread model. We had talked about stride. We had narrowed the scope down so that it was possible to complete it in a reasonable amount of time. But as the session went on, I noticed that nobody else than me was talking. And as I was having one of my monologues, I had this out of body experience where my lips continued moving while I could observe everything that happened around the room. And when I looked at up at the video conferencing screen, I could notice that people were falling asleep. And when I mean falling asleep, I mean snoring. Now it may not may may be that our security champions didn't have enough

sleep the previous night but I would claim that no matter how awake your participants in your meetings are about 50% of what you have been saying during the meeting will be forgotten 1 hour after the meeting itself and 24 hours after they will only be remembering 30%. And this is why we cannot scale our application security programs. The main challenge is not that we don't have the right processes or tools. It is that our people cannot remember the essential points we're trying to make. They may be writing them down, but it's a good chance they won't even remember where they place their notes. So, does anyone here have children? Please raise your hand if you have

children. Keep the hands up. Now, if your children can remember all the essential points you're trying to uh tell them, please hold your hands up, do you think it's any difference from adults? No. No, it's not. Absolutely not. So,

so um my family is from Spain and we uh my we have been traveling back and forth between Spain and Norway for a very long time. And one of the things my wife always reminds me before we leave our apartment in Spain is, "How do you remember the keys?" Yes. Yes. Yes. I always remember the keys. And so one time we we went to the airport in Spain. Took the plane to Norway, then got on a train to Drummond, the place where I live, went to the apartment building, climbed all the stairs, and then I told my wife Pedonino, I think I might have forgotten the keys. So when you do something wrong, the response you get from a Spanish woman is

tomato tomato, which means I kill you. I kill you. When I met my wife 16 years ago, I was shocked that she would always threaten to kill me. I could not understand with my own perception these passionate outbursts of affection. So there we were in the middle of the night. We could not get hold of the locksmith and our landlord didn't have an extra spare key. So, I had to call uh well, my wife called one of her male friends that took us in his car to his apartment where we could spend the night. And as I was sitting in the car with my two kids, my soon-to-be ex-wife and her new lover, the only thing I

could remember or only thing I could think about was why couldn't I REMEMBER THOSE GODDAMN KEYS? SO IN 1885 there was this German psychologist called Herman Ebinghouse which found out how well our brain retains information and he found out that our memory retention declines over a time along this exponential curve and he and he named it after himself called and called it the Ebinghouse effect. Now, why couldn't I just why couldn't I have known this back then when I forgot my keys? Maybe I wouldn't have experience the full effect of tomato tomato. But it's a good thing that we forget because that makes room for what is important right at this moment. And forot forget

things that makes us sad and afraid like that we all are going to die. We are all going to die. But we don't want to be reminded of that every second. Uh otherwise we would end up as Marvin the Paranoid android in the Hitchhiker's Guide to the Galaxy. So but fortunately the Ebinghouse effect isn't set in stone. There are things that we can do to help us remember. uh for example things that we find funny helps us to remember better. There are several studies that show that material and uh events that's presented to us which match our current mood can be remembered better than than material that doesn't um match our current mood. And this may be one of the key reasons

why people who generally are in a good mood uh forget to protect themselves against security threat threats while security people who who are paranoid do always heeds the latest security advisories. It just so happens that our paranoid nature helps to protect ourselves because the information match how we feel about the world around us. Luckily, there are even more things we can do to help us to to remember. And here are eight such things. space repetition. By repeating ex learning exercises at the regular intervals using uh using quizzes, flashcards and games, we can remember the exercises better. Microlearning content by revisiting the content in content in short focused bursts using infographics, posters, and gamified learning. the learning field

less like a shore and makes us remember more of the content that we are presented. managing the cognitive load. Instead of large thread molding sessions, do small threat modeling sessions and focus what on what is important for the participants right at this moment so that they can absorb and remember the essential threats and mitigations that they need to implement in order to protect their software and patch into space repetitions. By repeating these thread modeling sessions on a regular basis, you make them remember more of what they went through in these thread modeling sessions. Build on learners existing knowledge by by asking questions that's anchored to what the learners um know and uh have experienced. We can make them remember

more of the content that is presented to them because the experience and the learning form the basis for the learning. More of the learning is remembered. Provide practice o provide practice opportunities. Games offer an safe environment for um for trying out novel experimenting with novel ideas because the setting is informal. uh ideas that otherwise would be dropped can be discussed and tried out. And this provides for a fast feedback loop that allows for experimentation and ideas to be implemented which uh otherwise would be for forgotten in the backlog or discarded. Provide feedback but interactive learning experiences that provide feedback that provides feedbacks to the uh feedback through gamified gamified elements. Help the learner to enhance the me our memory retention and

peer feedback like the feedback between the game master and the player will uh is crucial for deep learning. informal and self-directed learning. While by having the learners and learn directly from each other, you make the learning experience more relevant and personal to the user. And uh by by having the uh by interacting with others in the way that you do in a multiplayer game, more of the learning can be remembered and provide rewards and reinforcements for revisions. Um, revisions can be reinforced by reinforcing them with rewards. If you provide points and if you provide points and uh rewards to the uh users when they come up with threats and mitigations mitigations, you reinforce the motivation and make them

come up with more threats, more mitigations so that they can implement more of the security controls during the following sprint. We often think that humans are the only ones that play, but research shows us otherwise. All animals with a brain play, even bumblebees. This night shows the ball rolling action over time lasting in this instance 4 seconds. The bumblebee in the panel A approaches the ball while facing it, then touches the ball with her four legs. Um, attaches to the ball using all her legs, then rolls the ball past the yellow ball, and finally detaches from and leaves the ball. Play is not only something that help that animals do to have fun. It has a

function as well. It helps us to remember. It's the way that we are meant to learn new things. It's how nature, our biology helps us to learn new skills that keeps us uh keeps us alive. Is survival of the fittest. And the most fittest and intelligent of them all is animal that plays the most. Which takes us to another animal. If we are to survive, we need to play games. Because if there's one thing that last years have shown us, it is that our survival depends on us learning new skills. So therefore, embrace your true nature. Go and play games with your colleagues as your life depends on it. Not only will it help you to learn

others about application security, it will also help you to scale your application security programs. Here the other day, I had to cancel one of our threat modeling sessions that I had planned with one of the development teams because I was sick. And as I was lying in bed, I uh being sick, I heard this familiar sound. What? Then I cancel the thread morning session. I jumped up and got to the phone. And lo and behold, the team had started the threat modeling session without me. The team didn't think it was necessary for me to be there because they know how to do threat modeling. Luckily, they had made this video recording just for me. So when I

watched it later, I could see that they had done a a great job. If the team continues without you and succeed, just pat yourself on the bar uh on the back and tell them how proud you are of them. We who play we believe very strongly in physical learning experiences but we also acknowledge that it's not always possible to be colllocated. Therefore and we also think that uh having uh security requirements printed on physical material is also not the best for keeping this material up to date. Therefore we have released a new version of Copia with QR codes which takes us to our new website where we where you can find this latest security requirements related to the

cards and we will make sure that these are kept up to date >> and we have also and if you go to the GitHub repository you will also find our game engine copy that you can download and install it wherever you want and use it to play with your colleagues even though you are not colllocated. So, so where do we go from here? I would start with just go and playing the game. Get together a group of people with an interest in security and just play. It can be testers, developers, product owners, designers. Just go to get together and play. Why? because it's the fastest way of creating value and showing results. We want the culture of

finding and fixing design issues. And we want people collaborating and having fun. And we know that everyone is on a journey of discovery. We do not understand everything, but we believe we can figure it out together. And we know it won't be perfect, but we will continuously refine the process and models as we learn more about the world around us. And to make it as simple as and agile as possible, we narrow it down to finding the answers to these four questions. What are we working on? What can go wrong? What can we do about it? And did we do a good job? It sounds so simple, but it really isn't because the next part is a little bit more difficult

because to make a stick, you need to enlist uh an army of uh a volunteer army of security-minded people willing to meet on a regular basis. Once every two weeks is enough. If you already have a security champions program, then you already have this in place. And before you know it, you have all devel you have each team doing gamified trend modeling on your behalf. Not so that you don't have to, but because that's the only way they can feel good about what they are doing when they get the recognition and uh receives the prize. then presents what you're doing to your CISO, CTO and product product owners and get everyone on board and build a guiding coalition that help

that can help you and support you and just make sure that you make them understand that you will be there and give support and ask for a pilot project where you can introduce gamified trip modeling and don't forget to celebrate your short-term wins. Wins present what you're doing to everyone in the organization and make noise about how the development team is having success with doing gamified thread modeling. Wins are the molecules of results. They must be collected, categorized, and um and communicated early and often in order to energize your volunteer army and drive change. Now, do anyone remember the sentence I told you to remember at the beginning of this presentation? The first one to

raise their hand get Oh, what was it? >> From a scale from 1 to 10, what is your preferred flavor in random words? >> Congratulations, you you get Oh, wrong one.

Who's going to clean this up? No, me. >> Thank you very much. Any questions? >> Any questions?

I have nothing.

>> Developing data. >> Sorry. >> The language. >> The language. The you mean the game engine? >> Yeah. >> Elixir. >> So, it's a very obscure language, but it took me a day to learn it. So, I don't think it's very difficult. But I I also uh I also know 10 programming languages. So maybe I'm not sort of like the right person to ask. Anyone else?

>> Yeah. >> How much does the car deck cost? >> So it depends a bit. So you can buy them at a company calledet Labs for uh €6. That's the small deck. And then a stationary has the large deck. This one cost £18. So it's a bit expensive. It's about 300. So, but we are going to put out less expensive desk uh decks that you can buy from Net Labs. So, we'll see what happens. They're working on that right now. Any other questions? You can also play it online for free, by the way. So, it's available at copy.org. >> One more round, but also name. Okay. Thank you very much.

from us to you.

>> No, I'm going for me.