Читать книгу Alice and Bob Learn Application Security - Tanya Janca - Страница 20

If security features make your application difficult to use, users will find a way around it or go to your competitor. There are countless examples online of users creatively circumventing inconvenient security features; humans are very good at solving problems, and we don’t want security to be the problem.

The answer to this is creating usable security features. While it is obvious that if we just turned the internet off, all our applications would be safer, that is obviously an unproductive solution to protecting anyone from threats on the internet. We need to be creative ourselves and find a way to make the easiest way to do something also be the most secure way to do something.

Examples of usable security include:

 Allowing a fingerprint, facial recognition, or pattern to unlock your personal device instead of a long and complicated password.

 Teaching users to create passphrases (a sentence or phrase that is easy to remember and type) rather than having complexity rules (ensuing a special character, number, lower- and uppercase letters are used, etc.). This would increase entropy, making it more difficult for malicious actors to break the password, but would also make it easier to use for users.

 Teaching users to use password managers, rather than expecting them to create and remember 100+ unique passwords for all of their accounts.

Examples of users getting around security measures include:

 Users tailgating at secure building entrances (following closely while someone enters a building so that they do not need to swipe to get in).

 Users turning off their phones, entering through a scanner meant to detect transmitting devices, then turning it back on once in the secure area where cell phones are banned.

 Using a proxy service to visit websites that are blocked by your workplace network.

 Taking a photo of your screen to bring a copyright image or sensitive data home.

 Using the same password over and over but incrementing the last number of it for easy memory. If your company forces users to reset their password every 90 days, there’s a good chance there are quite a few passwords in your org that follow the format currentSeason_currentYear.