Security
by(e)
Design

Security and UX: are they related at all?

 

  • How security experts break UX

  • DX: a melting pot of approaches

  • HoW UX experts break Security

  • ways to avoid both

What we'll talk about

@benedekgagyi

Where do security bugs come from?

Specification

implementation

  • missing functionality

  • "bonus" features

security bugs happen when the system in
our head
doesn't match the one in the
real world.

Where does
Bad User experience
come from?

  • form over function

  • incorrect assumptions

  • goals not aligned with user needs

Unpleasant UX happens whe the system in
our head
doesn't match the one in the
real world.

Security is part of UX

Axiom:

How security experts break ux

Part I

"to autofill, or not to autofill, this is the question"

password manager pO-s

Security
vs
Developer experience

DX is UX

Axiom:

DEvelopers wearing 3 hats:

  • DX

  • Security

  • Implementation

crypto.subtle
dangerouslySetInnerHTML

the Devil in the
details
Complexity

"You cannot break security if you do not understand a system better than the people who made the system"

OAuth

Storing tokens and XSS

1. oversimplification

2. attack surface

HTTPS

Cert management is a mess tho'

*

oauth

*

compliance
driven
development

Employee education

EMPLOYEE EXPERIENCE
(EX)

Who cares about security scan results?

GDPR

How UX experts break Security

Part II

Security
theater

"refers to security measures that make people feel more secure without doing anything to actually improve their security"

Forgot your password?

security
through text

user education is hard

user Miseducation is easy

reducing
friction

Solutions

Part III

communication

...duh

threat modelling

Developer user research

paved roads concept

ensure that developers can build secure things by default

awareness

internal education

share your wins

post mortems /
war stories

Thank
you