Difference between revisions of "OWASP Video Game Security Framework"

Revision as of 21:17, 26 April 2019

OWASP Video Game Security Framework (VGSF)

OWASP Video Game Security Framework (VGSF) defines an approach to discovering solutions for strategy, development, operations, and management surrounding security for video game industry business models

Most organizations that operate in the digital landscape approach security as a last afterthought when compared to the overall business strategy and operations. In the recent years it has become more apparent the consequences of such behavior with increasingly amounts of data breaches happening. The cost associated with an organization’s loss of intellectual property and other digital assets has reached the millions.

With the fast growth of the video game industry (174 billion by 2021 - Newzoo Global Game Forecast) in recent years, it is critical that organizations operating in this space have a strong security posture. Cyber-attacks aimed at various components of a business can affect the interoperability, user protected info, end-game product, and overall business model. As more businesses and clients operate in the cyber space its important to leverage security as a way to create sustainable trust, lead competitively, and operate more agile with different types of data.

The framework is comprised of five discipline areas that could produce many best practice methodologies:

I. Business Strategy & Risk

II. Governance & Compliance

III. Prevention

This will be one of the largest sections as it is comprised of many different aspects of overall cyber security

IV. Management

V. Service Delivery & Support

Licensing

The OWASP Video Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

Share this:

What is the OWASP Video Game Security Framework?

The goal of the OWASP Video Game Security Framework is to provide an adaptable blueprint to guide the development and deployment of cyber resiliency within a video game enterprise operation.

The target audience for the project includes:

Game Publishers
Game Developers
Security Professionals
Consumer Gamers
Quality Assurance Testers
Business Stakeholders in the Gaming Industry
Industry Enthusiasts

Project Leaders

Romen Brewer

Contributors

TBD

Related Projects

Collaboration

Join the discord channel: [1]

Quick Download

COMING SOON

News and Events

April, 2019: Site Creation and Discord channel creation.

Classifications

@@ Line 110: / Line 110: @@
 == Business Strategy & Risk ==
-<br/>
+<br />
 The purpose of the Strategy & Risk phase in the framework is to layout a guiding path to creating and completing security related initiatives in gaming.
-<br/>
+<br />
 '''Strategy & Risk Process'''
-<br/>
+<br />
 :1.    Establish Purpose
@@ Line 122: / Line 122: @@
 :4.    Plan Next steps
-<br/>
+<br />
 '''1.Establish Purpose'''
-<br/>
+<br />
 It’s important to understand in detail the goal of the overall security strategy and how can you capture requirements to ensure this phase is properly completed. Eventually a full project plan will be created for the initiatives that emerge from this phase. Establishing how an org handles these types of projects is a key driver of success.
-<br/>
+<br />
 '''''Example Questions to ask:'''''
-<br/>
+<br />
 '''''What''''' are the project requirements?
-<br/>
+<br />
 :1)    Detailed in Project plan
 ::a)    May come from leadership and other areas of business
-<br/>
+<br />
 '''''What''''' is the proposed approach to this project?
-<br/>
+<br />
 :1)    Methodology
@@ Line 142: / Line 142: @@
 ::b)    Agile
-<br/>
+<br />
 '''''Who''''' are the parties involved?
-<br/>
+<br />
 :1)    Key Stake Holders
@@ Line 150: / Line 150: @@
 :3)    Project Managers & Staff
-<br/>
+<br />
 '''''What''''' are the Risks, Barriers & Concerns?
-<br/>
+<br />
 :1)    Resource Availability
@@ Line 166: / Line 166: @@
 ::b)    Vendor support
-<br/>
+<br />
 '''''What''''' are the known tasks that need to be accomplished?
 :1)    Varies by project
-<br/>
+<br />
 '''Triage Capabilities'''
-<br/>
+<br />
 Assessing the current security capabilities within a company is the next step. This will allow an organization to understand certain strengths and developing areas in their sec operations. The very detailed information from the results of the assessments are vital to the next step.
-<br/>
+<br />
 ''Example Questions to ask:''
-<br/>
+<br />
 '''''What''''' security controls do we currently have in place?
@@ Line 188: / Line 191: @@
 :5)    User Security
-<br/>
+<br />
 '''''Are''''' licensed security technologies being utilized to their fullest potential?
-<br/>
+<br />
 '''''What''''' are the gaps in the security technologies currently used?
@@ Line 196: / Line 200: @@
 :2)    Cannot perform data analytics
-<br/>
+<br />
 '''Define Vision'''
-<br/>
+<br />
 The vision for org security needs to be created with the overall business objectives in mind. This needs to start out very high level and can be tailored a bit more later. Understanding industry trends and being innovative allows for a better vision.
-<br/>
+<br />
 Example Questions to ask:
-<br/>
+<br />
 '''''What''''' do we want our security posture to look like in the future?
@@ Line 230: / Line 237: @@
 ::c)    Increased consumer trust
-<br/>
+<br />
 '''''What''''' are the current threats to the organization?
-<br/>
+<br />
 '''''What''''' does the org need to protect?
@@ Line 246: / Line 254: @@
 ::b)    Impact user privacy
-<br/>
+<br />
 '''Plan Next Steps'''
-<br/>
+<br />
 During this phase an org must create a list with the end-resulted actions necessary to get to the newly accepted vision. This list must be prioritized and grouped to form the initiatives needed for implementation.
-<br/>
+<br />
 ''Example Questions to ask:''
-<br/>
+<br />
 '''''What''''' capabilities will achieve the defined vision from the previous step?
@@ Line 260: / Line 271: @@
 :3)    Technology
-<br/>
+<br />
 '''''What''''' can be done to ensure continued maintenance on the defined vision?

ID	Vulnerabilty Name	Description	Surface Area	Goal	Techical Impact	Business Impact	Defense	Ref	Genre
V1	Local Resource Modification, Client-side Logic Flaw	In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.	Game Client	Unfair Player Advantage	Player Anger	Players leave, Lost Revenue	Cryptographic Integrity Checks on Game Client	http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/	3PS/1PS/MMO
VN1	"The attacker attacked and edited the `LOCAL GAME CLIENT (Attack Surface)`, which had a `LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)`, which allowed her to `ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)`, ultimately leading to an `UNHAPPY PLAYER BASE (Negative Outcome)` and `DECLINING GAME REVENUE (Negative Outcome)` due to cheating, which could have been prevented by `CRYPTOGRAPHIC INTEGRITY CHECKS ON GAME CLIENT`”