Loading ...
Sorry, an error occurred while loading the content.

SV: Re: [agile-usability] security, agility, and usability

Expand Messages
  • Holm, Stefan
    Den trodde jag Pontus skickat redan. Han har fått det han behöver från mig. Estimering etc Skickat från min Samsung Mobil Adam Sroka
    Message 1 of 1 , Jan 18, 2011
    • 0 Attachment
      Den trodde jag Pontus skickat redan. Han har fått det han behöver från mig. Estimering etc

      Skickat från min Samsung Mobil

      Adam Sroka <adam.sroka@...> skrev:

      I am not a security expert, and I'm not very familiar with the story, so I
      won't comment on those parts. I do know a thing or two about Agile, and I am
      pretty confident in saying that it would help (at the very least it wouldn't
      hurt ;-)

      I think the benefit of Agile in this situation is that it encourages you to
      put the folks who know about security and the folks who know about UX
      together in the same room with the folks who know the product and the folks
      with other technical skills. That way they can participate together in every
      phase of defining, implementing, and testing the product.

      Of course, there is no guarantee that a security expert paired with a UX
      expert would think of the scenario that caused the vulnerability that was
      exploited. However, it seems obvious to me that they would have a better
      chance of coming up with it than the average programmer working in
      isolation. Agile tells us to get the right people and bring them closely
      together as a team. This seems like good advice for this scenario.

      On Tue, Jan 18, 2011 at 10:26 AM, Larry Constantine <lconstantine@...
      > wrote:

      >
      >
      > The front-page headlines in the Sunday New York Times once again brought
      > the story of the Stuxnet software attack on Iran’s nuclear facilities to the
      > forefront (
      > http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html). The
      > deconstruction by my German colleague Ralph Langner not only has teased out
      > essentially all of the detailed functioning of the Stuxnet code itself, but
      > also has uncovered clues to the larger story of who was involved in the
      > operation and how it was accomplished. In a sense, the headlines trumped the
      > storyline of the just-released Lior Samson novel, *Web Games*. (For an
      > analysis and the connection with Stuxnet, see the blog at
      > www.liorsamson.com/onwords.html.)
      >
      > I want to raise two questions that could be relevant to this group. One
      > element of the attack vector directly relates to user experience, as the
      > Stuxnet code was able to insinuate itself into a man-in-the-middle position
      > and effectively fool the operators into believing that everything was
      > operating normally when, in fact, the centrifuges were in the process of
      > tearing themselves apart. One question is whether there might be
      > architectures or programming practices or interaction designs that make such
      > exploits more difficult or less likely to succeed.
      >
      > A second question is whether agile development has any special role to play
      > or anything particular to offer in terms of contributing to software and
      > hardware security.
      >
      >
      >
      > Thoughts?
      >
      > --*Larry Constantine*, IDSA, ACM Fellow
      > Professor | University of Madeira | Funchal, Portugal
      > Institute Fellow | Madeira Interactive Technologies Institute |
      > www.M-ITI.org
      >
      >
      > Fiction “to feed the inner nerd” – *Bashert* , *Web Games*, and * The
      > Dome*, political thrillers from Lior Samson | www.LiorSamson.com<http://www.liorsamson.com/>
      >
      >
      >
      >
      >
    Your message has been successfully submitted and would be delivered to recipients shortly.