With two interesting talks on an upcoming secure programming SANS certificate and an inside look into usability, this NoVA meetup was an excellent event for my first time attending the OWASP – VA Local Chapter meeting.
I arrived a little late but the nice guard at Booz Allen escorted me up to the room where the meeting was taking place. As I walked in Ed Tracy was about halfway through his GIAC Secure Software Programmer (GSSP) certification talk. GSSP is a new SANS certificate that focuses on teaching and certifying developers in secure programming. At this point in the talk Ed was presenting sample Java exam questions and discussing the methodology for creating them. Currently, the GSSP certificate is the only certificate that focuses on secure programming for the individual that Ed knew of. There is another one (didn’t write down the name), but it focuses just on training and certifying large organizations. Most of SANS’s current work is on Java but they are looking for volunteers to expand into other areas (e.g., .NET). As a proponent of building security into systems during development, the training materials and resulting certificate seem to be a big leap forward in getting developers up to speed in this area. To learn more about the GSSP certificate, visit the SANS Software Security Institute.
In the second presentation Zed Abbadi provided an interesting look at usability in his talk “Building Usable Security.” System engineers focus on designing a solution; developers focus on building the solution; security professionals focus on securing the solution; etc. In the end, users complain that the solution isn’t what they wanted. That’s where usability comes into play. This field is an entire discipline that everyone often overlooks in creating a solution. Zed’s talk demonstrated this with an entertaining look at vague error messages Windows XP and Vista pop-up to users. In the end he provided some insightful tips for us to contemplate during our day-to-day activities (e.g., don’t push security to the end-user as Vista’s nagging allow/deny dialog box does). Along with the presentation, Zed is also writing a paper with future plans for a book. This talk reminds me of Bruce Schneier’s reoccurring theme of the trade off between security and usability. The more secure you make a system … the harder it is to use. I think the key take-away from Zed’s talk is that just like we as security professionals say everyone should be thinking security … you also have to be thinking usability.
For the original description of the presented topics, see our original post.