User friendly Secure Software Design

I got a chance to look at some online courses during covid-19 lockdown, most of following things were learned from Usable Security — Coursera course and my personal experiences. I highly recommend anyone who reads this to follow this course as its taught by academic experts and interviews with industrial experts.

Requirement Gathering

This is the first time we meet our client and get his/her requirements for the system we are about to develop for them.

• We MUST agree and get a full list of client expectation from the system. What is should do and what shouldn't.
• Make notes for important things they highlighted, and try to draw sample UIs on a paper and get client feedback at the moment.
• If they already have a similar system, check how it works and why its not satisfying the users.
• Meet often and deliver often, our design and interfaces.

User Interface

This is the first place users will interact with your software. Follwing things should consider when designing UIs.

• It MUST be simple and easy to use. We MUST focus what we our software intend to do. The best example is Google home page and Medium. People use google to search for something, and Medium to read interesting stories .They always keep search and best stories highlighted. Following two screenshots will give you an idea about this.

Google.lk home page

Medium home page

• Common features MUST be in their own unique places. Such as user profile, logout features. Those features are commonly in right top corner . Even above two screenshots they didnt change it. These kind of common places should not change in our design.
• Always use user centric UI design, get user feedback about UIs, if it takes time to develop using a proper tool, at least draw UIs on papers and get feedback. Use dummy data in these interfaces often.
• If users used to do similar tasks using another software, do not override those patterns. Keep them same places and same pattern. As an example, if old system uses User-Profile-> Notification -> Email to send an email to customer, we must not introduce try to override this.
• Easy to remember steps to perform an action. Less number of things user to remember.

Starting development after finalizing UIs with the client will give a lots of advantages. I have personally witnessed this.

Security

This is the most important part for any software. For software users, secutiry is not a big concern. Most of the time they assume software is secure behind the scene.

• Try to get minimal user’s personal information to the system. If we develop a notification system to a client, we may not need to store our client’s date of birth, civil status, birth place etc. We just need their email and password. This will also help user privacy.
• Meaningful Warnings. When a user tries to do something dangerous, user should give a Meaningful warning. Like what would happen if you take this action. It can not be undone etc. Also proper colors can be used here.
• Passwords, one of the main part in software security. When we get user’s passwords, we must make sure user does not enter a common password pattern and also unique ,easy to remember password. No need to ask digit,special charactor, block letters in password. A simple “bla-bla-black-sheep” would take years to crack.

Development

Just like UIs, user centric development would help to deliver a better product. Two main things we should perform during development is. For validation, using real users will give a lots of advantages.

• Verification : Are we building the product right?
• Validation : Are we building the right product?
• Right software stack for the development life cycle. Always get the best and secure software frameworks, libraries for the development.
• Code reviews, this will be a key part in verification and security of the system.

Testing

This will ensure we developed the right product, right way. Extensive testing should perform before delivering to users.

• A/B Testing, very important to UI testings, we can get an idea how users behave when same feature is presented in two way.

Source : https://en.wikipedia.org/wiki/A/B_testing#/media/File:A-B_testing_example.png

• Starting with small number of real users and increment number of users based on user feedbacks. This will help to identify some edge cases we missed during development or even in design.

I have listed most of the things I learned from that course and my practical experiences. I hope this will give a small idea about secure software design.

Stay safe!