Copyright © 2008 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.

The OWASP Foundation

OWASP-Italy Day IVMilan6th, November 2009

http://www.owasp.org

Usable Security

Tobias Christen

CTODSwiss / DataInherit

1

Content

• Definitions and Assumptions

• Simplicity

• Usable Security in the SDLC

• What others said

• Examples

2

Definition of Security

1Risk of CIA(U) violation

3

Definition of Usable (Security)

Security controls are:

• accepted

• learnable

• cost effective

4

Accountability will not work for B2C Apps

5

Nr 1 Risk in IT (Security)

Complexity

6

Nr 1 Goal in Usable Security

Simplicity

7

SimplicityFrom

wisdomto

action

8

Simplicity is the ultimate sophistication

9

Make it as simple as possible but not simpler

10

The ability to simplify means to eliminate the unnecessary so that the necessary may speak.

11

REDUCE

ORGANIZE

SAVE TIME

LEARN

EMOTION

10 Laws of Simplicityby John Maeda

12

Usable Security in the SDLC13

One Architect for Everything?

Performance Security Usability

14

PersonasAlign ThinkingFocus Design

Recruit Testers

EMOTION

15

WireframesCompare Alternatives

Organize ElementsReduce Navigation

ORGANIZE

16

Graphical Design

GuidelinesRe-Usable Panels

Consistency Checks

LEARN

17

Feedback Driven Small

Improvements

SAVE TIME

18

What others said

19

The missing model ?20

Agent /Principal

Request GuardObject / Model

PolicyAudit Log

Authentication Authorization

Isolation Boundary

Burt Lampson

Exploit differences between users and bad guys

Bruce Tognazzini

21

Exploit differences in

physical locationBruce Tognazzini

22

Make security understandable

Reduce configurabilityVisible security states

Intuitive user interfacesMetaphors that users can understand

23

Usable Security Controls for Internet Apps

AuthenticationPassword helpers

Audit trailsPrivacy Protection

End-User

Sys-Admin

SecurityOperations

24

Secure Remote Password Protocol

Nothing new to learn from a user’s perspective

Mitigates several pw related threatsProvides a symmetric shared secret

as a side-effect

25

Password helpers

Create memorizable passwordsRate passwordsAuto-fill forms

Store passwords encryptedStore in DataSafe

26

DiscussionWhere did you see the lack of usability in security?

27

Literature

• http://simson.net/ref/2009/2009-10-29-HCI-SEC.pdf

• http://cacm.acm.org/magazines/2009/11/48419-usable-security-how-to-get-it/fulltext

• http://oreilly.com/catalog/9780596008277

28

Questions?

tobias.christen@dswiss.com

29

• Threat universe --> intentional vs non-intentional vs neglectance

• Misuse cases versus abuse cases

• SDLC from the user’s perspective

• Fraud detection SW

• Transaction PINs must be combined with fraud detection software

30