1、Engineers are People Too,Adam Shostack Microsoft,Outline,Engineering in Large Projects Threat Modeling Usability Tools,A Software Engineers Day,Solve customer problems Write code Build cool stuff Change the world,Costs, Risks and Mitigations Feature Requirements Performance Security Privacy Accessib
2、ility Design Geographical & Political concerns Partner & Programmability Compatibility Internationalizability (dates) Configurability Manageability Logging Internationalizability (text handling) Telemetry Programmability And oh yeah, write some code,A software engineers day (take 2),Outline, Enginee
3、ring in Large Projects Threat Modeling Usability Tools,Security Development Lifecycle Working to protect our users,Education/Training,Accountability,Administer and track security training,Incident Response (MSRC),Establish release criteria and sign-off as part of FSR,Ongoing Process Improvements,Pro
4、cess,Guide product teams to meet SDL requirements,Secure design, including the following topics: Attack surface reduction Defense in depth Principle of least privilege Secure defaults Threat modeling, including the following topics: Overview of threat modeling Design to a threat model Coding to a th
5、reat model Testing to a threat model Secure coding, including the following topics: Buffer overruns Integer arithmetic errors Cross-site scripting SQL injection Weak cryptography Managed code issues (Microsoft .NET/Java) Security testing, including the following topics: Security testing versus funct
6、ional testing Risk assessment Test methodologies Test automation Privacy, including the following topics: Types of privacy data Privacy design best practices Risk analysis Privacy development best practices Privacy testing best practices,Orientation: Basic Concepts for Security Development Lifecycle
7、,Outline,Engineering in Large Projects Threat Modeling Usability Tools,Threat Modeling,Analyzing the design of a system Engineers know their code and how it changes Really, really hard for normal engineers to do Requires a skillset acquired by osmosis (“The security mindset”) Overcome creator blindn
8、ess Extreme consequences for errors or omissions Training (version 1): “Think like an attacker” And the consequences,SDL Threat Modeling Tool,SDL TM Tool makes threat modeling flow better for a broader set of users Main Approach: Simple, prescriptive, self-checks Tool Draw threat model diagrams with
9、 live feedback Guided analysis of threats and mitigations using STRIDE Integrates with bug tracking systems,STRIDE Framework* for finding threats,* Framework, not classification scheme. STRIDE is a good framework, bad taxonomy,Find threats: Use STRIDE per element,Flow & Engineering,“the person is fu
10、lly immersed in what he or she is doing, characterized by a feeling of energized focus, full involvement, and success” Elements of flow The activity is intrinsically rewarding People become absorbed in the activity A loss of the feeling of self-consciousness, Distorted sense of time A sense of perso
11、nal control over the situation or activity Clear goals Concentrating and focusing Direct and immediate feedback Balance between ability level and challenge,The Flow Channel,Flow and Threat Modeling,Outline,Engineering in Large Projects Threat Modeling (II) Usability Tools,2009 TM problem statement,E
12、ven with the SDL TM Tool Threat models often pushed to one person Less collaboration One perspective Sometimes a junior person Meetings to review & share threat models Experts took over meetings Working meetings became review meetings,Elevation of Privilege: The Threat Modeling Game,Inspired by Thre
13、at Poker by Laurie Williams, NCSU Serious games movement Threat modeling game should be Simple Fun Encourage flow,Approach: Draw on Serious Games,Field of study since about 1970 “serious games in the sense that these games have an explicit and carefully thought-out educational purpose and are not in
14、tended to be played primarily for amusement.” (Clark Abt) Now include “Tabletop exercises,” persuasive games, games for health, etc,Elevation of Privilege is the easy way to get started threat modeling,Draw a diagram,How to play,Deal out all the cards Play hands (once around the table) Connect the t
15、hreat on a card to the diagram Play in a hand stays in the suit Play once through the deck Take notes: Player Points Card Component Notes _ _ _ _ _ _ _ _ _ _,Example,Bob plays 10 of Tampering,Charlie plays 5 of Tampering,Dan plays 8 of Tampering,After the Elevation of Privilege Game,Finish up Count
16、points Declare a winner File bugs,Elevation of Privilege is Licensed Creative Commons Attribution Go play!,http:/ does the game work as a tool?,Attractive and cool Encourages flow Requires participation Threats act as hints Instant feedback Social permission for Playful exploration Disagreement Prod
17、uces real threat models,Outline,Engineering in Large Projects Threat Modeling Usability Tools,Context,Engineers are smart & busy people Easy to forget how complex it is when its your job Hard to not admire the problem No time in the schedule for UI design & test We need to design flow experiences fo
18、r engineers,Things we hear,“Im an engineer, not a usability person” “Can we sprinkle some security usability dust?” “The problem is between the keyboard and chair” “What are the top 5 things to make this usable?” all indicate a lack of flow in usability engineering efforts,Lots of Prior Work,Whitten
19、, “Why Johnny Cant Encrypt” Yee, “User Interaction Design for Secure Systems” Karp & Stiegler, “Including the User in Your Application Security Equation” Adds 6 properties to Yees Principles Cranor, “A Framework for Reasoning About the Human in the Loop” and lots lots more,Yees PrinciplesPath of Lea
20、st Resistance Active Authorization Revocability Visibility Self-awareness Trusted Path Expressiveness Relevant Boundaries Identifiability Foresight,Whats the right thing?,Warning from old IE version: Uses the confusing term “revocation information” Does not explain why the user should be concerned D
21、oes not help the user decide Makes no recommendation to the user Easy to get security experts arguing over revocation information,Much better!,Uses plain language (“there is a problem”) Explains why the user should care (“may indicate an attempt to fool you or intercept data”) Recommends an action (
22、“close the webpage”),How does this line up to Yee? Path of Least Resistance (x) Active Authorization Revocability (x) Visibility Self-awareness Trusted Path (x) Expressiveness (?) Relevant Boundaries (?) Identifiability (x) Foresight (?),The Flow Channel,What do people want?,Simple and actionable We
23、re working on guidance for warnings and prods Simple Concrete Easy to compare version A to B,How to get there? Ensure each: Must involve a user choice Clearly lays out the issue, why it matters Provides actionable guidance Is validated from a UI & security perspective,How to get there? Ensure each i
24、s: Necessary: Must involve a choice user can make Explained: Clearly lays out the issue, why it matters Actionable: Provides steps user can take Tested in benign & malicious scenarios (security & UI),Rather than forcing a trust decision, Office 2007, 2010 applications show safe content and give a no
25、n-blocking notification that additional, possibly unsafe, content is available.,Is your security UX,When possible, automatically take the safest option and, optionally, notify the user that other options are available,Necessary? Can you just be safe?,Guidance Example,Clearly Explain the Issue,Provid
26、e the user with all the information necessary to make the right decision: Source of the decision Process that the user should follow Risk of various choices Unique knowledge the user brings Choices the user can make (including a recommendation) Evidence that influences the decision SPRUCE replaces e
27、arlier “CHARGES”,Does your Security UX,Guidance Example,What to fix first?,Tool to prioritize and make tradeoffs between bugs:,Importance,Usability for normal people,How do we educate users? No one has time to be trained Need environments which allow people to form models Quickly & accurately One mo
28、del per person Work, home, government, banks, medical care need to align to encourage models to form,Creating a Learning Environment,Long, noisy channel to reach people “Look for spelling errors in the email?” Need advice that resists innovation Need advice that resists malice We need to engineer gu
29、idance which is Durable: resistant to innovation and malice Memorable: “stop, drop & roll” Effective: actually protect people Consistent: no public arguments about passwords Few: People make shopping lists for a reason Use that guidance as we construct systems,Usability tools for Engineers,Principle
30、s and Guidance are both worthwhile research areas “One page” guidance is hard to find Need ways to create guidance Need to craft a learning environment,Outline,Engineering in Large Projects Threat Modeling Usability Tools,A Software Engineers Day,Solve customer problems Write code Build cool, usable
31、 and secure stuff Change the world,Call to action,Study engineers & their needs Experiment with tools for engineers NEAT, SPRUCE & prioritization Use them, improve on them, or replace them Build realistic expectations for user education Remember that engineers are people too Need usable approaches t
32、o usability engineering,Questions?, 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and repre
33、sents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.,
