Secure Designs, UX Dragons, Vuln Dungeons: A Conversation on Secure Design Principles

In this live recording from BSidesSF, we delve into the world of secure design, exploring the factors that influence a well-designed system and discussing strategies for avoiding common pitfalls. Our conversation delves into the importance of user-centric design and how it relates to security, as well as the role of threat modeling in guiding engineering decisions.

A Secure Design is Not Just About Threat Modeling

We're joined by Kalyani Pawar and Jack Cable, two experts who share their insights on evaluating secure designs through real-world examples. We explore how designers can avoid the "bite of UX dragons" – those design pitfalls that can lead to user frustration and security vulnerabilities.

The Importance of Designing for Users

"A secure design is not just about avoiding vulnerabilities, but also about creating an experience that serves users," says Kalyani Pawar. "When designers prioritize the needs of their users, they're more likely to create systems that are both functional and secure."

From Weak to Strong: Lessons in Secure Design

We examine examples of weak and strong designs through the years, highlighting common mistakes and successful strategies for improvement. These case studies illustrate how threat modeling can be applied in practice to inform design decisions.

Framing Secure Design as a Challenge in Preventing Dangerous Errors

"Threat modeling is not just about identifying vulnerabilities; it's also about understanding the context in which they occur," explains Jack Cable. "By framing secure design as a challenge in preventing dangerous errors, developers can make practical engineering decisions that improve appsec for everyone."

The Role of Secure by Design in Modern Software Development

We discuss the importance of incorporating secure by design principles into modern software development practices. By designing systems to serve users and considering the security implications of every decision, developers can create more secure and user-friendly applications.

Resources for Further Learning

For those interested in learning more about secure design principles, we recommend exploring the following resources:

• OWASP Top 10 - Insecure Design
• Research on Secure Design Patterns
• The Threat Modeling Manifesto
• RFC 9700: Security Considerations for the Web
• CISA's Secure by Design Resource

Conclusion and Next Steps

In conclusion, our conversation highlights the importance of designing systems that serve users while also considering security implications. By framing secure design as a challenge in preventing dangerous errors, developers can make practical engineering decisions that improve appsec for everyone.

Thanks for joining us on this exploration of secure design principles! Don't miss out on our latest episodes – visit Security Weekly ASW for all the latest episodes and resources.

Visit our show notes page for additional information and links to the resources discussed in this episode: ASW #328 Show Notes