Copyright © 2008 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASP-Italy Day IVMilan6th, November 2009
http://www.owasp.org
Usable Security
Tobias Christen
CTODSwiss / DataInherit
1
2
Content
• Definitions and Assumptions
• Simplicity
• Usable Security in the SDLC
• What others said
• Examples
3
Definition of Security
1Risk of CIA violation
4
Definition of Usable (Security)
Security controls are:•accepted•learnable•cost effective
5
Accountability will not work for B2C Apps
6
Nr 1 Risk in IT (Security)
Complexity
7
Nr 1 Goal in Usable Security
Simplicity
8
SimplicityFrom
wisdomto
action
9
Simplicity is the ultimate
sophistication
10
Make it as simple as
possible but not simpler
11
p yto eliminate
the unnecessary so that the necessary
may speak.
12
REDUCE
ORGANIZE
SAVE TIME
LEARN
EMOTION
10 Laws of Simplicityby John Maeda
13
Usable Security in the SDLC
14
One Architect for Everything?
Performance Security Usability
15
PersonasAlign ThinkingFocus Design
Recruit Testers
EMOTION
16
WireframesCompare Alternatives
Organize ElementsReduce Navigation
ORGANIZE
17
Graphical Design
GuidelinesRe-Usable Panels
Consistency Checks
LEARN
18
Feedback Driven Small
Improvements
SAVE TIME
19
What others said
20
The missing model ?
Agent /Principal
Request Guard Object
/ Model
Policy
Audit Log
Authentication Authorization
Isolation Boundary
Burt Lampson
21
Exploit differences
between users and bad guys
Bruce Tognazzini
22
Exploit differences in
physical location
Bruce Tognazzini
23
Make security understandable
Reduce configurabilityVisible security states
Intuitive user interfacesMetaphors that users can
understand
24
Usable Security
Controls for Internet Apps
AuthenticationPassword helpers
Audit trailsPrivacy Protection
End-User
Sys-Admin
SecurityOperations
25
Secure Remote Password Protocol
Nothing new to learn from a user’s perspective
Mitigates several pw related threats
Provides a symmetric shared secret as a side-effect
26
Password helpers
Create memorizable passwordsRate passwordsAuto-fill forms
Store passwords encryptedStore in DataSafe
27
DiscussionWhere did you see the lack of usability in security?
28
Literature
• http://simson.net/ref/2009/2009-10-29-HCI-SEC.pdf
• http://cacm.acm.org/magazines/2009/11/48419-usable-security-how-to-get-it/fulltext
• http://oreilly.com/catalog/9780596008277