Better security decision through better design

11 years ago

Security is not always about zero day attacks, buffer overflows and cyber espionage rings, according to Chester Wisniewski, senior security advisor at Sophos Canada. Working on usability and developing better user experice is critical as well in his line of work.

Software designers and security experts, he said, also spend a great deal of time and effort figuring out how to present information in the right way so that users can easily understand them and actually use them to make better decisions.

For instance, when Wisniewski was assigned to help in designing the Sophos Email Appliance, he was asked by his bosses to represent the user in the process.

The technical details of how technical support and auditing could be provided were still worked out, he said in a recent post on the Naked Security blog site. However, the developers spent an equal amount of time figuring out how the product would actually work for an administrator.

Adam Shostack of Microsoft Corp., in his presentation at the BSides security conference in Vancouver last week, demonstrated a NEAT idea of how developers can SPRUCE up their coding, according Wisniewski.

NEAT and SPRUCE are actually wallet cards that developers carry around and refer to when designing security prompts.

NEAT and SPRUCE are acronyms that “remind them to think carefully about all the aspects involved,” said Wisniewski.

These flash cards are something that developers in your organizations might find useful as well.

Read the whole story here