Page 1
Copyright © 2008 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASP-Italy Day IVMilan6th, November 2009
http://www.owasp.org
Usable Security
Tobias Christen
CTODSwiss / DataInherit
1
Page 2
Content
• Definitions and Assumptions
• Simplicity
• Usable Security in the SDLC
• What others said
• Examples
2
Page 3
Definition of Security
1Risk of CIA(U) violation
3
Page 4
Definition of Usable (Security)
Security controls are:
• accepted
• learnable
• cost effective
4
Page 5
Accountability will not work for B2C Apps
5
Page 6
Nr 1 Risk in IT (Security)
Complexity
6
Page 7
Nr 1 Goal in Usable Security
Simplicity
7
Page 8
SimplicityFrom
wisdomto
action
8
Page 9
Simplicity is the ultimate sophistication
9
Page 10
Make it as simple as possible but not simpler
10
Page 11
The ability to simplify means to eliminate the unnecessary so that the necessary may speak.
11
Page 12
REDUCE
ORGANIZE
SAVE TIME
LEARN
EMOTION
10 Laws of Simplicityby John Maeda
12
Page 13
Usable Security in the SDLC13
Page 14
One Architect for Everything?
Performance Security Usability
14
Page 15
PersonasAlign ThinkingFocus Design
Recruit Testers
EMOTION
15
Page 16
WireframesCompare Alternatives
Organize ElementsReduce Navigation
ORGANIZE
16
Page 17
Graphical Design
GuidelinesRe-Usable Panels
Consistency Checks
LEARN
17
Page 18
Feedback Driven Small
Improvements
SAVE TIME
18
Page 19
What others said
19
Page 20
The missing model ?20
Agent /Principal
Request GuardObject / Model
PolicyAudit Log
Authentication Authorization
Isolation Boundary
Burt Lampson
Page 21
Exploit differences between users and bad guys
Bruce Tognazzini
21
Page 22
Exploit differences in
physical locationBruce Tognazzini
22
Page 23
Make security understandable
Reduce configurabilityVisible security states
Intuitive user interfacesMetaphors that users can understand
23
Page 24
Usable Security Controls for Internet Apps
AuthenticationPassword helpers
Audit trailsPrivacy Protection
End-User
Sys-Admin
SecurityOperations
24
Page 25
Secure Remote Password Protocol
Nothing new to learn from a user’s perspective
Mitigates several pw related threatsProvides a symmetric shared secret
as a side-effect
25
Page 26
Password helpers
Create memorizable passwordsRate passwordsAuto-fill forms
Store passwords encryptedStore in DataSafe
26
Page 27
DiscussionWhere did you see the lack of usability in security?
27
Page 28
Literature
• http://simson.net/ref/2009/2009-10-29-HCI-SEC.pdf
• http://cacm.acm.org/magazines/2009/11/48419-usable-security-how-to-get-it/fulltext
• http://oreilly.com/catalog/9780596008277
28
Page 29
Questions?
[email protected]
29
Page 30
• Threat universe --> intentional vs non-intentional vs neglectance
• Misuse cases versus abuse cases
• SDLC from the user’s perspective
• Fraud detection SW
• Transaction PINs must be combined with fraud detection software
30