Elevation of Privilege (abbreviated "EoP") is a card game developed by Adam Shostack with assistance from many patient Microsoft developers, and is designed to provide a fun and educational introduction to the concepts and practice of Threat Modeling.
The basic gameplay is similar to that of many "trick-winning" card games, in which a player leads a card of a particular suit, and other players have to play a card that will match the suit, discard a card of a different suit, or play a card of the declared "trump" suit. The winner of the trick will be the player who plays the highest-value trump card, or if all players played cards from the same suit as the lead player, the player who plays the highest-value card from the led suit is the winner of the trick. The winner of each trick then leads for the next trick until all cards have been used.
EoP can be played with the goal of simply accruing tricks, and gaining points for each trick won in this matter - but the purpose of the game is to encourage the players to think of credible threats to an application design, so that these threats can be enumerated, analysed and mitigated. To this end, the suits in the EoP deck are the six elements of the "STRIDE" framework of threats:
S - Spoofing T - Tampering R - Repudiation I - Information Disclosure D - Denial of Service E - Elevation of Privilege
Play starts with the "3 of Tampering" card, and as each card is played, players should try to think of threats that match the description on the card they are playing. Each such credible threat earns an extra point, and is recorded for later analysis and mitigation. Since this is an exercise in Threat Modeling, it is not important to decide at the time of playing the card whether or not the threat is mitigated - even mitigated threats are to be recorded, and analysed later to ensure they are mitigated. Since Threats are simply those things that an attacker might try against an application (or which might cause the application to function in an unwanted way - an accidental threat), it is not only valid to include threats that others might see as "obviously mitigated already", but it also moves gameplay along considerably.
Play ends when other people want the conference room, when players get bored with the game, or when they decide that enough is enough, and they'll use the SDL threat modeling tool instead. This usually indicates that the player feels the cards are slowing down their ability to generate valid threats, or that the player's points score is so far behind everyone else's that it is impossible for them to win any more.
Cheating is encouraged.
Inventing new attacks is encouraged.
Setting fire to the cards and saying, "How's that for an Ace of Denial-of-Service?" is considered somewhat counter-productive.
Tony Soper_MSFT edited Revision 2. Comment: res links added
like it
Shouldn't the text on the first image say: "Card with a threat (not thread) you can apply" ?
Mads Hjort Larsen edited Revision 12. Comment: Inserted missing space and fixed a missing capital letter
Ed Price - MSFT edited Revision 14. Comment: Featuring the article on the Home Page of TechNet Wiki.
Having trouble featuring the article on the Wiki (new platform changes). But I just featured it on the Wiki Blog: blogs.technet.com/.../elevation-of-privilege-yes-we-made-a-card-game-for-developers.aspx
Okay. It's featured on the front page of the Wiki now. Congrats!
Alun Jones edited Revision 18. Comment: Added links to pages for the other suits.
I got an error message on the instructions link and the card game images link (but the score card link works for me). Perhaps you can upload the other two to TechNet Gallery?
The links are working for me right now - can you check? They're go.microsoft.com links, so they should be solid.
Very original way of explaining it -
This looks fun and educational, thanks.