Friday, October 21, 2011

When Security Goes Wrong

I was at a conference (Ulearn) this week. A couple of things struck me while I was there.

For starters, someone sat there telling me that they were starting with security with a project. I can't help but think this is completely backwards. Security's important, sure. But then, what are you trying to build? Work out the specifications.

Does it actually have to be used? Who are your intended audience? What sacrifices are you willing to make for security?

Let's face it. It's very hard to do security without effecting the end user experience. Normally you're expecting something from users - think Captchas. Those annoying images that quite often you can't read terribly well. Or you're dealing with speed issues such as what happens when a password has been encrypted several times. SSL certificates are good - for the most part - but when things go even slightly wrong, you've effected the user experience again. Suddenly their web browser is telling them that they can't trust that site.

Security is a necessary evil. But it's also a sacrifice to other things. This is a classic engineering problem. You have to ask yourself how that security is going to effect the usage. Whether users will look for ways around it. Think Internet filtering. If you've blocked something that your users really want to use - such as social media - your users will start working against such security. Are you actually achieving anything with your security?

And this kind of leads into something I was trying to explain in my five minute talk at Ulearn. Take the nerd out of the equation for a second. Examine your computer system (this could be school or business) and ask yourself, does it work the way YOU (or your users) want it to work? And when I say You, I really mean it. I know this probably sounds harsh, but stop letting the nerds dictate the way you work. They're not doing you any favours. If they can't make it work the way you want it to work, then start looking at other solutions and vendors. What other industry dictates to you what you want?

In this way, Open Source software becomes an answer. If you've got the source code, you can change it. Stop working in spreadsheets and word processing documents and start thinking about how it could be better. If you were to design it, what would it look like?

In other words, own it.

No comments:

Post a Comment