Review - The Agile App Security Game
The Agile App Security Game is a team game for starting a conversation about security within your team, and practicing prioritization of security work (which often struggles for priority in a real life backlog). Setup is pretty quick, you just need to download, print and cut up the game cards, and familiarize yourself with the instructions. You could probably rush through the game in about an hour, but an hour and a half would be better to allow a solid debrief afterwards. It’s quite easy to run multiple teams at once, so you could run this with up to 30 or so people across multiple teams, though more would start to get a bit hard to facilitate. We found this game to be a good learning experience, but also very fun, so I highly recommend it.
Gameplay
You play in teams as members of the agile dev team working on the “MoneyZoom” money management app. The pilot version just went viral but because you’re so agile, all the security features were MVP (i.e. nonexistent). You need to prioritize and implement security enhancements in the best order to minimize threats to you and your users. Over 4 rounds (aka 2 week sprints), you are given a set of story cards for security features you can implement for different costs, fitting within a fixed budget per sprint. For each sprint, the team discusses and agrees which stories to implement. At the end of each sprint, the teams get feedback on what hack attempts have occurred and which have been mitigated by features implemented.
Setup
• Download – https://www.securedevelopment.org/resources/
• Print & cut up for each team: 1 x Instructions and 1 x Card Set
Tips
• Read both the leaders and players instructions thoroughly so you can facilitate smoothly, but also be willing to wing it
• The discussion is the main point, so allow extra time for discussion if required, and do a team debrief afterwards