The Artima Developer Community
Sponsored Link

Weblogs Forum
Enhancing agile planning with abuser stories

2 replies on 1 page. Most recent reply: Jun 6, 2005 3:20 PM by Johan Peeters

Welcome Guest
  Sign In

Go back to the topic listing  Back to Topic List Click to reply to this topic  Reply to this Topic Click to search messages in this forum  Search Forum Click for a threaded view of the topic  Threaded View   
Previous Topic   Next Topic
Flat View: This topic has 2 replies on 1 page
Johan Peeters

Posts: 30
Nickname: yo
Registered: Nov, 2003

Enhancing agile planning with abuser stories (View in Weblogs)
Posted: Jun 5, 2005 12:28 PM
Reply to this message Reply
Summary
Agile iteration planning has traditionally maximized business value based exclusively on user stories. However, implementing a user story increases the attack surface of a system and consequently the risk of abuse. The cost of absorbing such risk is often not taken into account. Abuser stories redress the balance.
Advertisement

Agile development aims to deliver the greatest business value in the least possible time. Iteration plans have therefore maximized the sum of business values realised through individual user stories.

However, implementing a user story increases the attack surface of a system and hence the risk of abuse, which may carry important business costs. Therefore, a traditionally calculated iteration's value should be viewed as its gross value. In order to arrive at net business value, gross value should be corrected for unmitigated risk.

Introducing abuser stories allows business value to be tracked more accurately and facilitates rational planning of the effort required for security-related development. Abuser stories identify how attackers may abuse the system to damage the customer's assets through the system's functionality. Thus they state systems' security requirements. It is the development team's task to refute the abuser stories, by demonstrating that the attack described is impossible, or at least implausible. As risk mitigation reduces risk absorption costs, but requires effort, iteration plans for security-sensitive projects would not only include user stories that will be realized, but also abuser stories that will be refuted.


Vincent O'Sullivan

Posts: 724
Nickname: vincent
Registered: Nov, 2002

Re: Enhancing agile planning with abuser stories Posted: Jun 6, 2005 5:25 AM
Reply to this message Reply
Examples, examples, examples!

Johan Peeters

Posts: 30
Nickname: yo
Registered: Nov, 2003

Re: Enhancing agile planning with abuser stories Posted: Jun 6, 2005 3:20 PM
Reply to this message Reply
You could look at http://www.agileopen.net/Conference/SecurityRequirementsEngineering.html . It describes a case study used at a workshop where we wrote and discussed abuser stories. No examples of actual abuser stories, but it should give you a good idea of the context. HTH.

Flat View: This topic has 2 replies on 1 page
Topic: Debuggers are a wasteful Timesink Previous Topic   Next Topic Topic: Kelly Doesn't Care About Hash Tables


Sponsored Links



Google
  Web Artima.com   

Copyright © 1996-2014 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use - Advertise with Us