Copyright © 2008 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.

The OWASP Foundation

OWASP-Italy Day IVMilan6th, November 2009

http://www.owasp.org

Usable Security

Tobias Christen

CTODSwiss / DataInherit

1

2

Content

• Definitions and Assumptions

• Simplicity

• Usable Security in the SDLC

• What others said

• Examples

3

Definition of Security

1Risk of CIA violation

4

Definition of Usable (Security)

Security controls are:•accepted•learnable•cost effective

5

Accountability will not work for B2C Apps

6

Nr 1 Risk in IT (Security)

Complexity

7

Nr 1 Goal in Usable Security

Simplicity

8

SimplicityFrom

wisdomto

action

9

Simplicity is the ultimate

sophistication

10

Make it as simple as

possible but not simpler

11

p yto eliminate

the unnecessary so that the necessary

may speak.

12

REDUCE

ORGANIZE

SAVE TIME

LEARN

EMOTION

10 Laws of Simplicityby John Maeda

13

Usable Security in the SDLC

14

One Architect for Everything?

Performance Security Usability

15

PersonasAlign ThinkingFocus Design

Recruit Testers

EMOTION

16

WireframesCompare Alternatives

Organize ElementsReduce Navigation

ORGANIZE

17

Graphical Design

GuidelinesRe-Usable Panels

Consistency Checks

LEARN

18

Feedback Driven Small

Improvements

SAVE TIME

19

What others said

20

The missing model ?

Agent /Principal

Request Guard Object

/ Model

Policy

Audit Log

Authentication Authorization

Isolation Boundary

Burt Lampson

21

Exploit differences

between users and bad guys

Bruce Tognazzini

22

Exploit differences in

physical location

Bruce Tognazzini

23

Make security understandable

Reduce configurabilityVisible security states

Intuitive user interfacesMetaphors that users can

understand

24

Usable Security

Controls for Internet Apps

AuthenticationPassword helpers

Audit trailsPrivacy Protection

End-User

Sys-Admin

SecurityOperations

25

Secure Remote Password Protocol

Nothing new to learn from a user’s perspective

Mitigates several pw related threats

Provides a symmetric shared secret as a side-effect

26

Password helpers

Create memorizable passwordsRate passwordsAuto-fill forms

Store passwords encryptedStore in DataSafe

27

DiscussionWhere did you see the lack of usability in security?

28

Literature

• http://simson.net/ref/2009/2009-10-29-HCI-SEC.pdf

• http://cacm.acm.org/magazines/2009/11/48419-usable-security-how-to-get-it/fulltext

• http://oreilly.com/catalog/9780596008277

29

Questions?

tobias.christen@dswiss.com