Protection Poker

Software security is about creating software that keeps performing as intended even when exposed to an active attacker. However, it is impossible to prevent all security flaws and vulnerabilities, since you will always have limited resources, in terms of time, money, and/or expertise. It is thus most important to prevent, detect and remove flaws and vulnerabilities with high risk, i.e., those that can easily be exploited by attackers, and that may impact important assets. Protection Poker is a tool for risk estimation to be used as part of the sprint planning meeting, in order to identify the features in the current sprint that represent the highest security risk, and that thus may need additional attention to software security and/or functional security requirements. An important side-effect of playing Protection Poker is a general raising of security awareness within the development team.

Protection Poker is meant to played by the whole team, and for each feature at least two rounds will be played: Once to determine the value of each asset the feature/requirement "touches", and once to determine the exposure of the feature. We define exposure as the extent to which the feature (when implemented) increases the attack surface of the system, what type of assets are made available through the feature, and to what extent it requires special competence to exploit the feature.

Slides and Video


Martin Gilje Jaatun
Senior Scientist, SINTEF Digital

Martin Gilje Jaatun is a Senior Scientist at SINTEF Digital in Trondheim, Norway. He graduated from the Norwegian Institute of Technology (NTH) in 1992, and received the Dr.Philos degree in critical infrastructure security from the University of Stavanger in 2015. He is an adjunct professor at the University of Stavanger, and Editor-in-Chief of the International Journal of Secure Software Engineering (IJSSE). Previous positions include scientist at the Norwegian Defence Research Establishment (FFI), and Senior Lecturer in information security at the Bodø Graduate School of Business. His research interests include software security, security in cloud computing and security of critical information infrastructures. He is vice chairman of the Cloud Computing Association (, vice chair of the IEEE Technical Committee on Cloud Computing (TCCLD), an IEEE Cybersecurity Ambassador, and a Senior Member of the IEEE.