[ PDF |
BibTeX |
EndNote |
RIS |
Word ]
Useable Security for Developers: A Nightmare
By Achim D. Brucker.
The term "usable security" is on everyone’s lips and there seems to be a general agreement that, first, security controls should not unnecessarily affect the usability and unfriendliness of systems. And, second, that simple to use system should be preferred as they minimize the risk of handling errors that can be the root cause of security incidents such as data leakages. But it also seems to be a general surprise (at least for security experts), why software developers always (still) make so many easy to avoid mistakes that lead to insecure software systems. In fact, many of the large security incidents of the last weeks/months/years are caused by "seemingly simple to fix" programming errors.
Bringing both observations together, it should be obvious that we need usable and developer-friendly security controls and programming frameworks that make it easy to build secure systems. Still, reality looks different: many programming languages, APIs, and frameworks provide complex interfaces that are, actually, hard to use securely. In fact, they are miles away from providing usable security for developers.
In this talk, I will discuss examples of complex and "non-usable" security for developers such as APIs that, in fact, are (nearly) impossible to use securely or that require a understanding of security topics that most security experts to not have (and, thus, that we cannot expert from software developers).
Please cite this work as follows: A. D. Brucker, “Useable security for developers: A nightmare,” presented at the OWASP AppSec EU conference, London, UK, Jul. 06, 2018. Author copy: http://logicalhacking.com/publications/talk-brucker-dev-usability-2018/
BibTeX
@Unpublished{ talk:brucker:dev-usability:2018,
date = {2018-07-06},
title = {Useable Security for Developers: A Nightmare},
author = {Achim D. Brucker},
venue = {London, UK},
eventtitle = {OWASP AppSec EU Conference},
abstract = {The term "usable security" is on everyone's lips and there
seems to be a general agreement that, first, security controls
should not unnecessarily affect the usability and
unfriendliness of systems. And, second, that simple to use
system should be preferred as they minimize the risk of
handling errors that can be the root cause of security
incidents such as data leakages. But it also seems to be a
general surprise (at least for security experts), why software
developers always (still) make so many easy to avoid mistakes
that lead to insecure software systems. In fact, many of the
large security incidents of the last weeks/months/years are
caused by "seemingly simple to fix" programming errors.
Bringing both observations together, it should be obvious that
we need usable and developer-friendly security controls and
programming frameworks that make it easy to build secure
systems. Still, reality looks different: many programming
languages, APIs, and frameworks provide complex interfaces
that are, actually, hard to use securely. In fact, they are
miles away from providing usable security for developers.
In this talk, I will discuss examples of complex and
"non-usable" security for developers such as APIs that, in
fact, are (nearly) impossible to use securely or that require
a understanding of security topics that most security experts
to not have (and, thus, that we cannot expert from software
developers).},
slideshare = {key/uhB5ik6RJJCwxE},
slideshare_width = {595},
slideshare_height = {485},
areas = {security, software},
note = {Author copy: \url{http://logicalhacking.com/publications/talk-brucker-dev-usability-2018/}},
}