Abstract: User stories are a generally accepted scrum and extreme programming practice that helps us capture user valued wants, needs and desires. All too often, we spend so much time worrying about those new features, that we put off thinking about the security of our system. Introducing Abuser Stories: abuser stories help us to see our system from the perspective of an attacker, allowing us to see where potential vulnerabilities have been introduced into our system.
Learning Outcomes: - How seemingly benign functional user stories can create vulnerabilities in our software, leaving lots of opportunity for our enemies to take advantage of our weaknesses.
- How to use the concept of abuser stories to shed some light on where these vulnerabilities can be introduced.
- How to craft a good abuser story.
- How to craft refutation criteria so that we can determine that the attack depicted by the abuser story is not possible.
- How to estimate and rank abuser stories.
