By Ron Woerner
Way back in 1971, Walt Kelly had a cute cartoon called â€œPogo.â€Â On earth day of that year, Pogo said something profound, â€œWe have met the enemy and he is us.â€Â Itâ€™s just as true today that the largest threat to any human is themselves.
In her blog, â€œWhat comes after usability?â€ the author, provides a User Hierarchy of Needs to reach the nirvana of a development model where the user is king.Â Sheâ€™s missing a key element that Pogo realized 36 years ago; users need for safety.Â No matter how usable a product or service, if itâ€™s missing appropriate protection mechanisms it wonâ€™t be fully utilized.
I reference two points from history for my argument:
1.Â Maslowâ€™s Hierarchy of Needs.Â Safety and security needs are second only to the needs for physical survival. The information age has not changed this basic premise.
2.Â Saltzerâ€™s and Schroederâ€™s Design Principles. This groundbreaking article was written in the mid-70s and gives a basic yet timeless approach in designing protection into a computer system.Â The Design Principles are simplified here:
â€¢Â Â Â Economy of Mechanism â€“ Keep It Simple (KISS); The product should have a simple and small design.
â€¢Â Â Â Least Privilege â€“ A subject should be given only those privileges necessary to complete its task.
â€¢Â Â Â Fail-Safe Defaults â€“ The default action should be to deny access to the asset and grant access only when explicit permission exists.
â€¢Â Â Â Complete Mediation â€“ Check every access to every object.
â€¢Â Â Â Open Design â€“ Security should not depend on secrecy of design or implementation.
â€¢Â Â Â Separation of Privilege â€“ Requires multiple conditions to grant privilege.
â€¢Â Â Â Least Common Mechanism â€“ Users should share the protection mechanism as little as possible.
â€¢Â Â Â Psychological Acceptability â€“ Security should not add to difficulty of accessing the resource.
These principles of secure design underlie all security-related mechanisms.
We all need protection measures to be built into applications, often to prevent our own stupidity. Developers need to add it to the User Hierarchy of Needs.Â Most of all donâ€™t try to ignore it or save it for later because thereâ€™s no ROI. By having the protection mechanisms baked-in, it protects our greatest enemy â€“ ourselves.
By working together, we all become stronger.
Catalyst Note: If you’re not currently reading “Creating Passionate Users” by Kathy Sierra, you should be. As we shift to the Security 2.0 mindset, she’s clearly ahead of the curve and puts a lot of quality out there for us to digest and incorporate.