Last Friday I held a class on finding web vulnerabilities for my colleagues. The presentation was laid out in four segments. First segment covered why we’ve launched the initiative to find web vulnerabilities in our products. Next out was a PowerPoint presentation on what to look for and general precautions. Next I demoed the scanner tool we’ve chosen and the reports we need to generate and write. In the last segment I let the class participants toy around with a trial version of the vulnerability scanner, just to get the feeling of how to do a scan. After all segments were over we began having a general discussion. This was great, the participants talked about things they’ve stumbled upon. All in all it was a very healthy and good discussion which proved that to test security you must just simply take a look around and absorb, then go on to exploit using creativity. One remark that always pop up during security classes are “we must always weigh usability and security up against each other”.  I’ve written about my concern on how the security business operates earlier, it’ll serve as a basis for today’s topic.

It’s easy to make such a statement. Of course we need to weigh them up against each other. For instance, a CMS being secure but hopelessly difficult to use isn’t worth a dime. If it’s too hard to use it may scare away the users. On the other side, having a CMS that is a breeze to use, but lacking secure features, like being easy to hack, isn’t worth a dime either. So yes, of course we need to weigh usability and security up against each other. But at the same time, I feel iffy about it. It’s easy to say yes we should, but whom is to do the weighing? Should the people sitting closest to the customers take the decisions, or should we work together to make solutions for the entire industry?

I will not cover the remark itself further. Let’s talk about something more important. Before a decision is made we must place the responsibility to the right group. So, who should make the call? The designers? The developers? Or perhaps someone else? The best answer would be to say that everyone should pitch in their views and from that find a way to solve the problems. Completely democratic. But democracy doesn’t come easy. Often in decisions taking someone will get butthurt, some won’t. But then again, the iffiness comes crawling back. For whom are we solving problems for? Our employer, so he/she/it can cash in even more? The customer, so that we can rake in more dough? Or – are we really solving a problem which has bugged the IT industry for years?

A concrete example: there are millions of thousand online services out there requiring the users to sign up before use. OK – fine. I’ll go on and signup. Soon after a new service comes along. I signup for that too. And soon I lose track of which username and passwords to use on each service. Most people will just use the same username and password all over the place. Heck, some of these services doesn’t have a “I forgot my password” feature either. Sigh.

In my example people either has just one username and a password, or a whole slew of them. So I ask – how are we going to solve this? Where do we put the responsibility of weighing usability and security up against each other? And, should we solve this issue at the corporate level, or should we aim even higher and just make the IT industry work together for greater good?

So, yes – we should weigh. But more importantly, the process handling the weighing is far more important.