CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · [email protected]. Title: OWASP Day IV...
Transcript of CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · [email protected]. Title: OWASP Day IV...
![Page 1: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/1.jpg)
Copyright © 2008 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASP-Italy Day IVMilan6th, November 2009
http://www.owasp.org
Usable Security
Tobias Christen
CTODSwiss / DataInherit
1
![Page 2: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/2.jpg)
2
Content
• Definitions and Assumptions
• Simplicity
• Usable Security in the SDLC
• What others said
• Examples
![Page 3: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/3.jpg)
3
Definition of Security
1Risk of CIA violation
![Page 4: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/4.jpg)
4
Definition of Usable (Security)
Security controls are:•accepted•learnable•cost effective
![Page 5: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/5.jpg)
5
Accountability will not work for B2C Apps
![Page 6: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/6.jpg)
6
Nr 1 Risk in IT (Security)
Complexity
![Page 7: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/7.jpg)
7
Nr 1 Goal in Usable Security
Simplicity
![Page 8: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/8.jpg)
8
SimplicityFrom
wisdomto
action
![Page 9: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/9.jpg)
9
Simplicity is the ultimate
sophistication
![Page 10: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/10.jpg)
10
Make it as simple as
possible but not simpler
![Page 11: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/11.jpg)
11
p yto eliminate
the unnecessary so that the necessary
may speak.
![Page 12: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/12.jpg)
12
REDUCE
ORGANIZE
SAVE TIME
LEARN
EMOTION
10 Laws of Simplicityby John Maeda
![Page 13: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/13.jpg)
13
Usable Security in the SDLC
![Page 14: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/14.jpg)
14
One Architect for Everything?
Performance Security Usability
![Page 15: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/15.jpg)
15
PersonasAlign ThinkingFocus Design
Recruit Testers
EMOTION
![Page 16: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/16.jpg)
16
WireframesCompare Alternatives
Organize ElementsReduce Navigation
ORGANIZE
![Page 17: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/17.jpg)
17
Graphical Design
GuidelinesRe-Usable Panels
Consistency Checks
LEARN
![Page 18: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/18.jpg)
18
Feedback Driven Small
Improvements
SAVE TIME
![Page 19: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/19.jpg)
19
What others said
![Page 20: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/20.jpg)
20
The missing model ?
Agent /Principal
Request Guard Object
/ Model
Policy
Audit Log
Authentication Authorization
Isolation Boundary
Burt Lampson
![Page 21: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/21.jpg)
21
Exploit differences
between users and bad guys
Bruce Tognazzini
![Page 22: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/22.jpg)
22
Exploit differences in
physical location
Bruce Tognazzini
![Page 23: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/23.jpg)
23
Make security understandable
Reduce configurabilityVisible security states
Intuitive user interfacesMetaphors that users can
understand
![Page 24: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/24.jpg)
24
Usable Security
Controls for Internet Apps
AuthenticationPassword helpers
Audit trailsPrivacy Protection
End-User
Sys-Admin
SecurityOperations
![Page 25: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/25.jpg)
25
Secure Remote Password Protocol
Nothing new to learn from a user’s perspective
Mitigates several pw related threats
Provides a symmetric shared secret as a side-effect
![Page 26: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/26.jpg)
26
Password helpers
Create memorizable passwordsRate passwordsAuto-fill forms
Store passwords encryptedStore in DataSafe
![Page 27: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/27.jpg)
27
DiscussionWhere did you see the lack of usability in security?
![Page 28: CTO DSwiss / DataInherit - OWASP · 2021. 3. 9. · tobias.christen@dswiss.com. Title: OWASP Day IV Author: OWASP Keywords: Web Application Security Created Date: 11/9/2009 6:46:06](https://reader036.fdocuments.us/reader036/viewer/2022071608/6146f35af4263007b1358114/html5/thumbnails/28.jpg)
28
Literature
• http://simson.net/ref/2009/2009-10-29-HCI-SEC.pdf
• http://cacm.acm.org/magazines/2009/11/48419-usable-security-how-to-get-it/fulltext
• http://oreilly.com/catalog/9780596008277