Security
by(e)
Design?

Benedek Gagyi

Leaves / water
ratio

Water
temperature

Steeping
time

Leaves / water
ratio

Water
temperature

Steeping
time

Devs

UX

Security

How is software made?

Dev

Features

Performance

Accessibility

Quality

UX

UX Design

Security

Security

User research

User flows

Look & feel

AppSec

DevSecOps

Audits

Dev

UX

Security

USER EXPERIENCE

UX

Security

Broken UX

Broken Security

Broken UX

Broken Security

=

BROKEN
USER
EXPERIENCE

EXAMPLES

Passwords are a mess

The experience of passwords is a mess

What's a strong password?

  • 8 characters
  • capital letters
  • special characters
  • 16 characters
  • passphrases
  • leet (1337) encoding
  • 12 characters
  • numbers
  • special characters
  • emoticons

How do I introduce that password?

Autofill is not quite "auto"

If good security has bad UX, your app is
not
secure

User education is hard

User miseducation is easy

3D Secure

Collect card info

Redirect to provider

Additional security check

Redirect back to shop

Security through text

DON'T
PUSH

If you encourage bad habits,
they will come back to haunt you.

AND
WHY
SHOULD
I CARE

?

DX

UX
for devs

UX
for users

EXAMPLES

ROUND II

npm audit
subtle.crypto

"It's very easy to misuse them, and the pitfalls involved can be very subtle."

If good security has bad UX, your app is
not
secure

If good security is hard to achieve you'll app will
never
be secure

Convenience

vs

Security

<?php

$offset = $_GET['offset'];
$query  = "SELECT * 
    FROM products 
    ORDER BY name 
    LIMIT 20 
    OFFSET $offset;";
$result = pg_query($conn, $query);

?>

If it's easier to write vulnerable code than secure, you will
never
have a secure application

As a developer

Development

Security

DX

EXAMPLES

POSITIVE

The road to better log-in experiences

Credentials API

Web OTP API

WebAuthn

Passkeys

The road to better payment experiences

Browser autofill

3D Secure

Secure Payment Confirmation API

SOLUTIONS

Communication

  • Awareness

  • Knowledge sharing

  • Learn from the past

Empathy

  • Understand the user

  • Remove obstacles for others

  • Open up

Focus on resiliency

  • Design security based on how people actually behave

  • Aim to remove the hazards entirely

  • Human attention is a finite resource

kellyshortridge.com

Paved roads concept

Ensure that the easiest thing to do is the
right thing to do

Security by(e) Design?

By Benedek Gagyi

Made with Slides.com

Security by(e) Design?

  • 46

More from Benedek Gagyi