usable security - owasp · usable (security) security controls are: ... re-usable panels...
Post on 05-Jun-2020
25 Views
Preview:
TRANSCRIPT
Copyright © 2008 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASP-Italy Day IVMilan6th, November 2009
http://www.owasp.org
Usable Security
Tobias Christen
CTODSwiss / DataInherit
1
Content
• Definitions and Assumptions
• Simplicity
• Usable Security in the SDLC
• What others said
• Examples
2
Definition of Security
1Risk of CIA(U) violation
3
Definition of Usable (Security)
Security controls are:
• accepted
• learnable
• cost effective
4
Accountability will not work for B2C Apps
5
Nr 1 Risk in IT (Security)
Complexity
6
Nr 1 Goal in Usable Security
Simplicity
7
SimplicityFrom
wisdomto
action
8
Simplicity is the ultimate sophistication
9
Make it as simple as possible but not simpler
10
The ability to simplify means to eliminate the unnecessary so that the necessary may speak.
11
REDUCE
ORGANIZE
SAVE TIME
LEARN
EMOTION
10 Laws of Simplicityby John Maeda
12
Usable Security in the SDLC13
One Architect for Everything?
Performance Security Usability
14
PersonasAlign ThinkingFocus Design
Recruit Testers
EMOTION
15
WireframesCompare Alternatives
Organize ElementsReduce Navigation
ORGANIZE
16
Graphical Design
GuidelinesRe-Usable Panels
Consistency Checks
LEARN
17
Feedback Driven Small
Improvements
SAVE TIME
18
What others said
19
The missing model ?20
Agent /Principal
Request GuardObject / Model
PolicyAudit Log
Authentication Authorization
Isolation Boundary
Burt Lampson
Exploit differences between users and bad guys
Bruce Tognazzini
21
Exploit differences in
physical locationBruce Tognazzini
22
Make security understandable
Reduce configurabilityVisible security states
Intuitive user interfacesMetaphors that users can understand
23
Usable Security Controls for Internet Apps
AuthenticationPassword helpers
Audit trailsPrivacy Protection
End-User
Sys-Admin
SecurityOperations
24
Secure Remote Password Protocol
Nothing new to learn from a user’s perspective
Mitigates several pw related threatsProvides a symmetric shared secret
as a side-effect
25
Password helpers
Create memorizable passwordsRate passwordsAuto-fill forms
Store passwords encryptedStore in DataSafe
26
DiscussionWhere did you see the lack of usability in security?
27
Literature
• http://simson.net/ref/2009/2009-10-29-HCI-SEC.pdf
• http://cacm.acm.org/magazines/2009/11/48419-usable-security-how-to-get-it/fulltext
• http://oreilly.com/catalog/9780596008277
28
Questions?
tobias.christen@dswiss.com
29
• Threat universe --> intentional vs non-intentional vs neglectance
• Misuse cases versus abuse cases
• SDLC from the user’s perspective
• Fraud detection SW
• Transaction PINs must be combined with fraud detection software
30
top related