Security
by(e)
Design
Security and UX: are they related at all?
-
How security experts break UX
-
DX: a melting pot of approaches
-
HoW UX experts break Security
-
ways to avoid both
What we'll talk about
@benedekgagyi
Where do security bugs come from?
Specification
implementation
-
missing functionality
-
"bonus" features
security bugs happen when the system in
our head
doesn't match the one in the
real world.
Where does
Bad User experience
come from?
-
form over function
-
incorrect assumptions
-
goals not aligned with user needs
Unpleasant UX happens whe the system in
our head
doesn't match the one in the
real world.
Security is part of UX
Axiom:
How security experts break ux
Part I
"to autofill, or not to autofill, this is the question"
password manager pO-s
Security
vs
Developer experience
DX is UX
Axiom:
DEvelopers wearing 3 hats:
-
DX
-
Security
-
Implementation
crypto.subtle
dangerouslySetInnerHTML
the Devil in the
details
Complexity
"You cannot break security if you do not understand a system better than the people who made the system"
OAuth
Storing tokens and XSS
1. oversimplification
2. attack surface
HTTPS
Cert management is a mess tho'
*
oauth
*
compliance
driven
development
Employee education
EMPLOYEE EXPERIENCE
(EX)
Who cares about security scan results?
GDPR
How UX experts break Security
Part II
Security
theater
"refers to security measures that make people feel more secure without doing anything to actually improve their security"
Forgot your password?
security
through text
user education is hard
user Miseducation is easy
reducing
friction
Solutions
Part III
communication
...duh
threat modelling
Developer user research
paved roads concept
ensure that developers can build secure things by default
awareness
internal education
share your wins
post mortems /
war stories
