Posted on by Achim D. Brucker, licensed under CC BY-ND 4.0.

Usable Security for Developers - A Nightmare

The term “usable security” is on everyone’s lips and there seems to be a general agreement that, first, security controls should not unnecessarily affect the usability and unfriendliness of systems. And, second, that simple to use system should be preferred as they minimize the risk of handling errors that can be the root cause of security incidents such as data leakages.

But it also seems to be a general surprise (at least for security experts), why software developers always make so many mistakes that should be easy to avoid, and that lead to insecure software systems. In fact, many of the large security incidents of the last weeks/months/years are caused by “seemingly simple to fix” programming errors.

Bringing both observations together, it should be obvious that we need usable and developer-friendly security controls and programming frameworks that make it easy to build secure systems. Still, reality looks different: many programming languages, APIs, and frameworks provide complex interfaces that are, actually, hard to use securely. In fact, they are miles away from providing usable security for developers.

If you want to learn more, visit our talk at the OWASP AppSecEU in London. In this talk, I will discuss examples of complex and “non-usable” security for developers such as APIs that, in fact, are (nearly) impossible to use securely or that require an understanding of security topics that most security experts to not have (and, thus, that we cannot expect from software developers).

Supplementary Material

Welcome to the blog of the Software Assurance & Security Research Team at the University of Exeter. We blog regularly news, tips & tricks, as well as fun facts about software assurance, reliability, security, testing, verification, hacking, and logic.

You can also follow us on Twitter: @logicalhacking.




academia ai android apidesign appsec bitcoin blockchain bpmn browser browserextensions browsersecurity bug certification chrome composition cordova dast devops devsecops dom dsbd efsm epsrc event extensions fixeffort floss formaldocument formalmethods funding hol-ocl hol-testgen humanfactor hybridapps iast industry internetofthings iot isabelle/hol isabelledof isadof latex logic maintance malicous mbst mobile mobile apps modelinference modeling monads monitoring msc ocl ontology opensource owasp patches pet phd phdlife phishing policy protocols publishing reliability research safelinks safety sap sast sdlc secdevops secureprogramming security securityengineering securitytesting semantics servicecomposition skills smartcontract smartthings softwareeinginering softwaresecurity softwaresupplychain solidity staff&positions statemachine studentproject tcb test&proof testing tips&tricks tools transport tuos uk uoe upgrade usability verification vulnerabilities vulnerableapplication webinar websecurity


blog whole site