usable security - owasp · usable (security) security controls are: ... re-usable panels...
TRANSCRIPT
![Page 1: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/1.jpg)
Copyright © 2008 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASP-Italy Day IVMilan6th, November 2009
http://www.owasp.org
Usable Security
Tobias Christen
CTODSwiss / DataInherit
1
![Page 2: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/2.jpg)
Content
• Definitions and Assumptions
• Simplicity
• Usable Security in the SDLC
• What others said
• Examples
2
![Page 3: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/3.jpg)
Definition of Security
1Risk of CIA(U) violation
3
![Page 4: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/4.jpg)
Definition of Usable (Security)
Security controls are:
• accepted
• learnable
• cost effective
4
![Page 5: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/5.jpg)
Accountability will not work for B2C Apps
5
![Page 6: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/6.jpg)
Nr 1 Risk in IT (Security)
Complexity
6
![Page 7: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/7.jpg)
Nr 1 Goal in Usable Security
Simplicity
7
![Page 8: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/8.jpg)
SimplicityFrom
wisdomto
action
8
![Page 9: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/9.jpg)
Simplicity is the ultimate sophistication
9
![Page 10: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/10.jpg)
Make it as simple as possible but not simpler
10
![Page 11: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/11.jpg)
The ability to simplify means to eliminate the unnecessary so that the necessary may speak.
11
![Page 12: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/12.jpg)
REDUCE
ORGANIZE
SAVE TIME
LEARN
EMOTION
10 Laws of Simplicityby John Maeda
12
![Page 13: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/13.jpg)
Usable Security in the SDLC13
![Page 14: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/14.jpg)
One Architect for Everything?
Performance Security Usability
14
![Page 15: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/15.jpg)
PersonasAlign ThinkingFocus Design
Recruit Testers
EMOTION
15
![Page 16: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/16.jpg)
WireframesCompare Alternatives
Organize ElementsReduce Navigation
ORGANIZE
16
![Page 17: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/17.jpg)
Graphical Design
GuidelinesRe-Usable Panels
Consistency Checks
LEARN
17
![Page 18: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/18.jpg)
Feedback Driven Small
Improvements
SAVE TIME
18
![Page 19: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/19.jpg)
What others said
19
![Page 20: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/20.jpg)
The missing model ?20
Agent /Principal
Request GuardObject / Model
PolicyAudit Log
Authentication Authorization
Isolation Boundary
Burt Lampson
![Page 21: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/21.jpg)
Exploit differences between users and bad guys
Bruce Tognazzini
21
![Page 22: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/22.jpg)
Exploit differences in
physical locationBruce Tognazzini
22
![Page 23: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/23.jpg)
Make security understandable
Reduce configurabilityVisible security states
Intuitive user interfacesMetaphors that users can understand
23
![Page 24: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/24.jpg)
Usable Security Controls for Internet Apps
AuthenticationPassword helpers
Audit trailsPrivacy Protection
End-User
Sys-Admin
SecurityOperations
24
![Page 25: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/25.jpg)
Secure Remote Password Protocol
Nothing new to learn from a user’s perspective
Mitigates several pw related threatsProvides a symmetric shared secret
as a side-effect
25
![Page 26: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/26.jpg)
Password helpers
Create memorizable passwordsRate passwordsAuto-fill forms
Store passwords encryptedStore in DataSafe
26
![Page 27: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/27.jpg)
DiscussionWhere did you see the lack of usability in security?
27
![Page 28: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/28.jpg)
Literature
• http://simson.net/ref/2009/2009-10-29-HCI-SEC.pdf
• http://cacm.acm.org/magazines/2009/11/48419-usable-security-how-to-get-it/fulltext
• http://oreilly.com/catalog/9780596008277
28
![Page 30: Usable Security - OWASP · Usable (Security) Security controls are: ... Re-Usable Panels Consistency Checks LEARN 17. Feedback Driven Small Improvements SAVE TIME 18. What others](https://reader030.vdocuments.us/reader030/viewer/2022041103/5f02850e7e708231d404aaff/html5/thumbnails/30.jpg)
• Threat universe --> intentional vs non-intentional vs neglectance
• Misuse cases versus abuse cases
• SDLC from the user’s perspective
• Fraud detection SW
• Transaction PINs must be combined with fraud detection software
30