Justice League Blog
Remediation – The Game
(This is a guest post, contributed by Timothy Champagne, a consultant at Cigital.)
I have long been a fan of card games. During lunch breaks at work, my co-workers and I would often play such games to pass the time and socialize. I found myself thinking that this activity could not be unique to my office; countless others out there undoubtedly have similar routines. It occurred to me that there must be a way to harness this social gathering at work and turn it into a fun learning experience built around what I know best – software assurance and software security. After all, if people are going to play a card game, why not play one that can help ingrain the very ideas that Cigital has been trying to expound on for over a decade?
So I began designing Remediation, a card game that pits web application companies focused on generating revenue against the threat of malicious users focused on negatively impacting that revenue for their own nefarious motives. This is the very scenario that we encounter at Cigital on a regular basis and a theme that can easily transcend the commercial world and find relevance within the Federal space… an area of particular interest to me due to my work with the Application Software Assurance Center of Excellence (ASACoE) for the US Air Force.
Remediation has players compete to end up with the highest score while playing through real life software security scenarios. While taking on the role of either a company or a malicious user, the players take turns with the ultimate goal of playing the most revenue cards. The malicious users attack the company players with exploit cards, a SQL Injection attack for example, and score points in the form of revenue that the company loses by having their web application taken offline. The company players will then play cards, like a Database Restore, to recover from these attacks so their web applications return online and generate revenue for their own scores. Additionally, the company players can choose to spend some of that gained revenue to play cards that represent an investment into advanced security techniques that can prevent specific attacks against their applications, such as the game’s namesake, a Vulnerability Remediation card. At its heart, Remediation conceptualizes how various exploits could affect a web application and what measures would need to be taken in order to recover from these situations.
With its focus on software security themed gameplay, one of the primary goals for Remediation is for it to be useful as an educational tool. In today’s increasingly web-centric environment, it is more important than ever for developers to be able to think like an attacker and stay one step ahead of the threats that plague web applications every day; this game is designed to instill that mindset by presenting specific examples of how an attacker might target a system. As for managers, it is absolutely vital to understand how these risks might affect the successful conduction of business; the game works on this level by not only showing how these types of attacks can harm a company, but also how Cigital’s service offerings can help protect against these threats. By mirroring real life situations, Remediation strives to impart crucial skills that will help improve the players’ real world security posture outside the game.
Of course an additional goal would be to have a fun game with replay value so that the game could have a life of its own and introduce future players down the road to software security and how Cigital fits into this picture. Email us at remediationthegame@cigital.com if you’re interested in getting a copy of the game for yourself.
