Agile Security Game

Last updated on 2025-08-11 | Edit this page

Overview

Questions

  • How do you play the agile security game?
  • What are the outcomes of the game?

Objectives

  • For each Agile sprint, discuss and agree amongst yourselves which stories to implemnt.
  • Record your chosen sotries for that sprint (write down the code letters).

Player Instructions

We’ve got a problem. The app we released last week as apart of our researhc project has gone viral. People are downloading it by the tens of thousands; they’re all using it massively, and it’s received thousands of tweets and masses of mentions on every other social network. Even the Sunday newspaper has had an article on it.

Trouble is, we’re a small team and it was only supposed to be a limited pilot. We’ve put in only rudimentary security because we believed it under the radar for any of the likely attackers. But now we’ve got everyone from celebrities to my grandmother using it. AND IT’S NOT SAFE!

As the figure to the right shows, the functionality is all there and works well enough – fantastically done, team! Your mission now, should you choose to accept it, is to prioritise and implement the security enhancements to the system in the best way to minimise the threat to us and our users. Are you up for it?

It’s an agile project, of course, with two-week sprints. So each round in this game is a two week sprint. And for each sprint you have story cards with options you can take, and the estimated cost for each in estimation units. Some are security enhancements; some are test actions (the estimates include basic fixes that result from the testing); some are research activities which may lead to further tasks.

You have an initial budget for each sprint of 11 units, building up as you build up the team to 12 units for sprints 3 onwards; you can’t go over your budget and of course unused units don’t carry over the next sprint. You decide what you’ll do and the two weeks go by in a trice. And at the end of the sprint you’ll do a release of both app and server, and maybe get some new options opened up by the research you’ve done or the actions you’ve taken in the past.

And in the next sprint, and following sprint you do the same again. But remember – we also have a released product out there and maybe attackers will be DOING NASTY THINGS. Whether they’ll be successful or not depends on what decisions you made.

System model for this exercise
System Model

The game has some simplifications in timing. It ignores the time lag for getting apps from release to deployment. It assumes a stunningly agile team who can all move easily from server to app and from coding to reviewing to pen testing. And, remarkably, each task turns out to take exactly the effort estimated! So, you’ll get feedback on what NASTY THINGS have happened at the end of the sprint when you make each release.

For each sprint, discuss and agree amongst yourselves which stories to implement; record your chosen stories for that sprint (write down the code letters). The purpose and the learning of the game is in the discussion. Once the decisions are made, the game leader will feed back what has happened: any exploits seen during that sprint (of the code in the previous sprint’s release), and any new stories suggested by the learning from that sprint.

A Little Bit about Our App - MoodRing

We created “MoodRing” to enable participant mood-tracking in mental health studies. Here’s what I as a user can do with MoodRing:

  • Report moods that I have experienced
  • See my mood history
  • Change my name, address and contact details
  • Discuss with other app users
  • Use the in-app analysis to find patterns in my moods

The MoodRing app communicates with an ‘App Server’, which itself is connected to a myriad of services related to storage, processing, and analysis as shown in Figure 2.

Sprints

Challenge

Sprint 1

Using 11 points, pick the stories that will be completed this sprint.

Scanning Kiddie – gets to server by accident – maliciously deletes all data.

DoSing Kiddie – gets to server by accident – uses for ddos attacks on other servers

Scanning Kiddie – gets to server by accident – maliciously deletes all data.

  • Backup Server (BS): Having a backup server containing a recent backup of our data makes recovering from this event easier.
  • Server patches up to date (PT): Server updates often times inlcude security patches that address identified vulnerabilities and implement countermeasures.

DoSing Kiddie – gets to server by accident – uses for ddos attacks on other servers

  • Server patches up to date (PT): Server updates often times inlcude security patches that address identified vulnerabilities and implement countermeasures.
Challenge

Sprint 2

Using 11 points, pick the stories that will be completed this sprint.

Hacking Kiddie – gets to server by accident – downloads and publishes what he finds.

Phishing Kiddie – sends spam email, gets subscribers to download rogue version or enter credentials in spoof website.

Detective or journalist hacker – wants account information for specific users – server hack – publishes information or causes customer complaints.

Hacking Kiddie – gets to server by accident – downloads and publishes what he finds.

  • Server patches up to date (PT): Server updates often times inlcude security patches that address identified vulnerabilities and implement countermeasures.

Phishing Kiddie – sends spam email, gets subscribers to download rogue version or enter credentials in spoof website.

  • Contingency Plan (CP): Establishing a publicity plan with keeps the threat in the forefront of the teams mind and allows for faster notifications and warnings to users about phishing threats.
  • Two Factor Authentication (2F*): Establishing two-factor identification helps defend users from phishing attacks and our app from compromised accounts.

Detective or journalist hacker – wants account information for specific users, hacks the server, and publishes information or causes customer complaints.

  • Server Pen testing (PT) AND Encrypt and Hide data on server (EH*): External penetration testing (that includes server patching as well) can identify vulnerabilities in our app and patch them accordingly. Encrypting and hiding the data on our server prevents exposure of sensitive data in the event of a security breach or data leak.

* requires penetration testing

Challenge

Sprint 3

Using 12 points, pick the stories that will be completed this sprint.

MITM kiddie – Spoofs WiFi access point in airport – Gains credentials – randomly hacks accounts.

Aggrieved hacker – gains access to server – downloads or modifies server data – publicizes.

(FATAL) MITM Mafia – spoofs WiFi access point in airport – uses dodgy root certificates to validate all banking services - gains credentials – steals small amount from each.

MITM kiddie – Spoofs WiFi access point in airport – Gains credentials – randomly hacks accounts.

  • HTTPS in Protocol (HP): HyperText Transfer Protocol Secure utilizes encryption for secure communications over the network, thus protecting traffic between the device and the server.
  • Two Factor Authentication (2F): Establishing two-factor identification helps defend users from phishing attacks and our app from compromised accounts.

Aggrieved hacker – gains access to server – downloads or modifies server data – publicizes.

  • Server Pen Testing, AND Encrypt and Hide data on Server (PT, EH*): External penetration testing (that includes server patching as well) can identify vulnerabilities in our app and patch them accordingly. Encrypting and hiding the data on our server prevents exposure of sensitive data in the event of a security breach or data leak.

MITM Mafia – spoofs WiFi access point in airport – uses dodgy root certificates to validate all external services - gains credentials – steals personal information from each.

  • Forced Upgrades and SSL Pinning (FU, SS): Mandating up-to-date app versions and binding authentication certificates to specific services would protect against MITM attacks like this one.
  • Two Factor Authentication (2F): Establishing two-factor identification protects user credentials.

* requires penetration testing Text Fatal

Challenge

Sprint 4

Using 12 points, pick the stories that will be completed this sprint.

Mafia Team – Gain access to office, get passwords from server logs, stealing data from tens of thousands of accounts.

Mafia Advanced Programming Team – gain access to server though zero day exploit, installed hacked version, modifies mood data.

Mafia APT - Malware on device via email – sends back credentials found in logs to command and control server – used to steal and modify data.

Mafia Team – Gain access to office, get passwords from server logs, small theft from tens of thousands of accounts.

  • Prevent Access to Office (PA): Physical security of servers is just as critical as virtual!
  • Filtered Logging for Server (FL): Ensuring that logs do not contain sensitive or protected data helps prevent data leakage.
  • Two Factor Authentication (2F): Establishing two-factor identification protects user credentials and defends against unauthorized logins.

Mafia Advanced Programming Team – gain access to server though zero day exploit, installed hacked version, modifies mood data.

  • Network Monitoring for Server (NM): Monitoring network traffic is an excellent way find and stop on-going attacks. In this case, an unexpected server patch could indicate malicious activity.

Mafia APT - Malware on device via email – sends back credentials found in logs to command and control server – used to steal and modify data.

  • Forced Upgrades AND Sanitize App Logging (FU, SA): Keeping strict requirements on app-versions can detect or defend against disguised malicious malware. In this example, sanitizing logs wold prevent secret data from being discovered and leaked.
  • Two Factor Authentication (2F): Establishing two-factor identification protects user credentials and defends against unauthorized logins.

* requires penetration testing

Text Fatal

Callout

Some Notes about the Game

In a real world situation obviously one wouldn’t get feedback and lists of attacks before the start of the next agile sprint. These king of ‘security enhancement’ sprints we’re doing here would actually be interspersed with a number of functionality sprints, allowing plenty of time for feedback before the next sprint.

Also, observe in the attack descriptions that in some cases the mitigations are alternatives: the first attack could be mitigated by either BS or PT. But in other cases the teams must have completed all of a collection of tasks to mitigate the attack.

Key Points
  • Choosing how to use your limited resources to increase security is difficult.
  • Assess possible threats before they happen!