Shmoocon V: Security vs. Usability

This was one of two talks that turned out different from what I expected based just on their titles. Bruce Schneier and others have discussed the genuine dichotomy between security and convenience. This is what I thought would be the focus of the talk but the presenter, dead addict, a regular at the hacker cons, instead talked about the choice developers make between developing usable or secure software.

dead addict is a QA engineer, it sounds like, by training. He also admitted to contributing to some security protocols and specifications. He is not a software developer but clearly works in close collaboration with them.

Really what dead addict was trying to get at is developers who use security as an excuse not to even attempt usable software. He clearly thinks this is a false dichotomy and I have to concur. Some of the talk concentrated on helping developers write more usable, secure software. dead addict at least conceded that combining secure and usable is indeed hard, for some they may mistake this with impossible.

I think that dead addict and some of the members of the audience too quickly absolve developers of responsibility here. The discussion ran quickly to how to use external resources to help solve the problem. I agree not all developers can or must have usability expertise but only on the junior end of the experience and maturity scale. Leaders should have usability in their toolkit because it is not always possible to bring in an expert. When one is available, having senior and lead level developers familiar with the field will make the collaboration far more effective.

While the audience bogged down on quibbling over the purported lack of communications skills amongst software developers, I managed to pick up a couple of book recommendations from a fellow attendee. These are both written by Alan Cooper, the original creator of the visual builder aspects of Visual Basic.

dead addict’s most compelling argument is how usability is being applied to commercial malware. This is part of a trend I have discussed, the commercialization of attack software. Usability acts as a force multiplier for attackers. Defenders need to figure out, quick, how to build more usable, secure systems just to level the playing field.

Technorati Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *