Nudge and Sludge: Driving DevOps Security with Design
Security people say users are the weakest link. When security becomes burdensome, users take shortcuts jeopardizing security. Design offers a solution. We will walk through affordances, nudges, sludge and principles to inform and direct our design. Come learn how better usability leads to DevOps security.
This talk was given at DevOpsDay Tel Aviv 2021.
Kim Crawley, author of 8 Steps to Better Security, discusses what it takes to make a resilient security program.
Watch more videos on my YouTube channel.
This session is on all the things we all say all the time, about all the things we call know. Security through obscurity is bad. Defense in depth is good. Stop clicking things. Next generation is bad, or maybe, next generation is good. The list goes on and on. The resulting rules of thumb are sometimes contradictory and often misleading. With war stories and anecdotes, we’ll explore what happens when teams run security by tribal knowledge instead of research and reason. Spoiler alert: they get pwned. Turns out, we were wrong.
Presented for Great Lakes Security Conference (GLSC) 2021.
Watch more videos on my YouTube channel.
Long time friend David Giard had me back on his video series to talk about my security design principles series. It’s always a pleasure to chat with David. Check out our conversation below, and his entire Technology and Friends series on YouTube.
Usability versus security is stupid. It forces us to choose one or the other. It excuses security breaches under the guise of usability. It automatically pits us against them, builders against breakers, developers against defenders. A better approach is to view security like usability: they happen where man meets machine. At that moment of meeting, what factors in human psychology and industrial design are at play? And suppose we could pause time. Suppose we could tease out those factors. Could we design a better experience, design a better outcome, design a better path to the future?
Recorded for Converge Detroit 2020
Watch more videos on my YouTube channel.
When you look at the FedEx logo, do you see an E and an X? Or do you see an arrow? Let’s look at the cognitive processes that drive what we see. I’ll give two tips on how to get more creative when designing security controls.
Watch more videos on my YouTube channel.
A friend of mine tweets he’s up at 1 o’clock watching my videos with his daughter. When you can’t sleep, apparently, my videos do the trick. She had questions. Here are my answers.
Shout out to Bill Sempf and Kaelan Sempf!
Watch more videos on my YouTube channel.
Secure360 2020 – Security happens where man meets machine. Or, fails to happen, as we see all too often. Blame the users. They’ll click anything. Blame the developers. Half their code is riddled with vulnerabilities anyways. Blame the IT staff. You’d think they’d at least know better. But perhaps, we’ve been placing the blame on the wrong places. What exactly happens where people and technology meet? At that moment, that very moment, what factors in human psychology and industrial design are at play? And suppose we could pause time for a moment. Suppose we could tease out those factors. Could we design a better experience, design a better outcome, design a better path to the future? This session explores these questions and identifies lessons the cyber security field can learn from industrial design.
Watch more videos on my YouTube channel.
What do ATMs in the Netherlands teach us about creating security capabilities people actually want? The story starts with the Geldmaat.
Watch more videos on my YouTube channel.
Taking a day off work, I’m thinking about how work gets structured. Use standards such as CIS Critical Security Controls, NIST SP800-54b, and the National Initiative for Cybersecurity Education (NICE). Define what the team will do and, just as important, what the team will not do.
Watch more videos on my YouTube channel.