A good web application security environment is one that balances security with convenience. Nothing more and nothing less; just the security that’s needed to keep things reasonably in check.
But just how much is enough? All too often I see websites and applications with too little security while others have too much – namely “security theater” that makes it look like the system is secure. There’s hardly ever a happy medium. Granted, there are the outliers like Amazon, eBay and related sites that seem to have things down pat. However, so many other lesser-known sites and applications (the majority of the ones out there) just can’t seem to find the balance of security and usability that’s needed.
I think a large part of the problem is that highly-technical developers are putting together these sites and applications without getting user feedback on the front end and not performing adequate usability testing on the back end. I can’t tell you how many times in the past few weeks alone I’ve come across websites and applications (both personally and in my security testing work) that have been unbelievably amateurish when it comes to user account management. I’ve thought to myself things like “Has no one tested this mechanism for security flaws?” and “What point is someone trying to prove by requiring so many hoops to jump through when the hoops can be bypassed altogether?”
I believe these types of problems lie not with the technical developers but in the management (or lack thereof) of the overall application. I suspect if we could get to the bottom of many of these problems we’d see that everything is up to the developers with no end user input, no product management…nothing.
The user’s interaction with the application should be as simple as possible. People shouldn’t have to jump through tons of hoops to simply log on or perform functions like changing passwords, especially when controls are forced on them in the name of “security”. In fact, most security controls should be completely transparent to end users. The goal should be to steer users in the right direction and protect them from themselves and not a single bit more.
Those of us working in IT, security and software development can effect change and get these sites and applications to where they need to be. Consider this: for the next 30 days focus your web security efforts solely on user authentication and access controls within your sites and applications. Get all the right people on board and do whatever you can to make user interaction as painless yet secure as possible. Check out some of the well-known sites and applications and see how they’re handling logons, password policies and the like. I guarantee you can eliminate a ton of flaws and make your environment resilient against a large number of exploits while making it easier to use in the process.