Page 1
Copyright © 2008 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASP-Italy Day IVMilan6th, November 2009
http://www.owasp.org
Usable Security
Tobias Christen
CTODSwiss / DataInherit
1
Page 2
2
Content
• Definitions and Assumptions
• Simplicity
• Usable Security in the SDLC
• What others said
• Examples
Page 3
3
Definition of Security
1Risk of CIA violation
Page 4
4
Definition of Usable (Security)
Security controls are:•accepted•learnable•cost effective
Page 5
5
Accountability will not work for B2C Apps
Page 6
6
Nr 1 Risk in IT (Security)
Complexity
Page 7
7
Nr 1 Goal in Usable Security
Simplicity
Page 8
8
SimplicityFrom
wisdomto
action
Page 9
9
Simplicity is the ultimate
sophistication
Page 10
10
Make it as simple as
possible but not simpler
Page 11
11
p yto eliminate
the unnecessary so that the necessary
may speak.
Page 12
12
REDUCE
ORGANIZE
SAVE TIME
LEARN
EMOTION
10 Laws of Simplicityby John Maeda
Page 13
13
Usable Security in the SDLC
Page 14
14
One Architect for Everything?
Performance Security Usability
Page 15
15
PersonasAlign ThinkingFocus Design
Recruit Testers
EMOTION
Page 16
16
WireframesCompare Alternatives
Organize ElementsReduce Navigation
ORGANIZE
Page 17
17
Graphical Design
GuidelinesRe-Usable Panels
Consistency Checks
LEARN
Page 18
18
Feedback Driven Small
Improvements
SAVE TIME
Page 19
19
What others said
Page 20
20
The missing model ?
Agent /Principal
Request Guard Object
/ Model
Policy
Audit Log
Authentication Authorization
Isolation Boundary
Burt Lampson
Page 21
21
Exploit differences
between users and bad guys
Bruce Tognazzini
Page 22
22
Exploit differences in
physical location
Bruce Tognazzini
Page 23
23
Make security understandable
Reduce configurabilityVisible security states
Intuitive user interfacesMetaphors that users can
understand
Page 24
24
Usable Security
Controls for Internet Apps
AuthenticationPassword helpers
Audit trailsPrivacy Protection
End-User
Sys-Admin
SecurityOperations
Page 25
25
Secure Remote Password Protocol
Nothing new to learn from a user’s perspective
Mitigates several pw related threats
Provides a symmetric shared secret as a side-effect
Page 26
26
Password helpers
Create memorizable passwordsRate passwordsAuto-fill forms
Store passwords encryptedStore in DataSafe
Page 27
27
DiscussionWhere did you see the lack of usability in security?
Page 28
28
Literature
• http://simson.net/ref/2009/2009-10-29-HCI-SEC.pdf
• http://cacm.acm.org/magazines/2009/11/48419-usable-security-how-to-get-it/fulltext
• http://oreilly.com/catalog/9780596008277
Page 29
29
Questions?
[email protected]