Designing better security outcomes for human beings

This week’s episode features a special cross-over conversation from the O’Reilly Security Podcast, which you can find on Stitcher, iTunes, SoundCloud, or RSS. O’Reilly’s Courtney Nash chats with Eleanor Saitta, a security architect at Etsy. They talk about the importance of thinking of security in a human context and the increasingly critical relationship between security and design.

Here are a few highlights:

Detecting fraudulant patterns at the human level

Look at banking fraud and fraud detection systems. Although financial malware is a real issue, and we are seeing more and more people who end up with malware running on their phones that then attacks bank authenticators or logs into their account and makes transfers. These are starting to be very real issues, let alone credit card numbers and all this kind of stuff. The biggest way that those attacks are stopped isn’t by preventing code from running on people’s machines, it’s by detecting fraudulent patterns and transfers at the human level, and cutting things out at business rule levels, and much higher levels.

In the worst case, it’s someone goes into a bank physically and talks to someone, and has a conversation. That’s just as much a part of the security countermeasure set as any number of anti-banking Trojan, anti-malware projects are.

The relationship between security and design

That whole process of coming into understanding the high risk world a little bit more was really, in some ways, it was really challenging for me because I’d spent probably eight years, nine years at that point when I first started getting involved in that community, doing big enterprise security. To come into this community and to realize that actually I know very little about how to create better security outcomes for human beings was an interesting thing to learn midway through my career.

What it made me do was go back and think a lot about the relationship between security and design, and realize that one of the things that we need to do when we’re building systems for, at the time, I was mostly thinking about high-risk people, but I’ve realized that this applies to any system. We need to understand not just what that user is worried about, but what the countermeasures that they can use to cancel out their adversaries attacks are, because we’re dealing with that design space much more than we are with the code space. Now, if we can find things at the code level that give us new capabilities in that design space, that’s amazing. So, being able to get rid of classes of low-level bugs, so we can stop thinking about them—great, that’s a huge capability for the design space and the architecture space. All of the different things that we can do with cryptography, as far as using it to reduce the kinds of attacks that people can be subject to and giving them new invariants the system can let them use. Great, amazing capabilities, but the reason why they’re interesting is because of how they shift that design space, and that has to be the thing that starts driving everything.

Security design as a separate discipline

There’s a conversation between architecture and requirements and design. There has to be. None of these can act independently, but the thing that we don’t see, the thing that I really don’t see in the security community yet, is an understanding of security design as really a separate discipline. This is literally what I’m spending my time doing right now.