Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Secure applications require security-aware end users

Having secure applications requires more than eliminating vulnerabilities in your code. Columnist Ken Salchow Jr. says end users must also understand that their actions can have serious security repercussions -- and companies need to provide security education for them.

Ken Salchow

Salchow Jr.

With the increase of phishing attacks, and the sophistication of those attacks, there has been a corresponding increase in the discussions on how to combat this situation. Many people argue that the businesses and financial institutions that build and host the Web-based applications should shoulder the entire responsibility. While I certainly wouldn't suggest that these organizations are doing all they can -- across the board -- I find this tact to be missing a big piece of the puzzle: the end user.

No matter what you do and how much effort you put into it, there is no way for you to technologically remove the onus from the end user. This is always the linchpin in any security architecture. If a person gives someone the keys and security code to his house, he shouldn't be surprised to see that person sitting in his living room drinking his beer when he comes home. Similarly, if a user gives away his credentials -- intentionally or unintentionally -- to his online account, he shouldn't be surprised if the account becomes compromised. What more can we possibly do to protect the users from themselves?

The one clear thing most organizations aren't doing to combat this problem is security awareness training and education for end users. I know many people don't bother with this because they think it is a lost cause, but the more knowledgeable end users are about the risks, the less likely they are to become victims of phishing and other attacks based on "tricking" (social engineering). The less likely your users are to become "victims," the less likely you are to lose time and money because of these attacks. At the very least, if we could get all of our applications' users to run up-to-date antivirus software and quit clicking hypertext links presented in emails to access our sites, we could significantly decrease the number of successful incidents against our consumer base.

If your users don't understand their important role in the equation, nothing you do is going to stop your system from being successfully attacked. 

I suggest we include awareness training in our security planning and enact processes and procedures that make users aware of their responsibility for protecting their own accounts. This might be as simple as taking the "legalese" in the end-user agreement and reformatting it into an easy-to-understand "checklist" of things customers should and should not do to best maintain the security of their accounts -- and making sure customers actually read this new version before giving them accounts.

It might also include making users re-verify their acceptance of these conditions on a semi-yearly or yearly basis so that you can incorporate any new suggestions from recent exploits and help maintain the end user's awareness. In other venues, I have advocated the use of "tests" to validate the user's understanding of the requirements, as well as end-user agreements that indemnify the organization of any liability whatsoever if the user fails to follow these requirements. Maybe that's a little overboard, but as the pressure to "protect the user" continues to increase, it may become necessary.

Protecting your application goes much further than making sure you eliminate any vulnerabilities in your code and encrypting data in transit and at rest. If your users don't understand their important role in the equation, nothing you do is going to stop your system from being successfully attacked. Today, it is necessary for everyone involved in application development, deployment, usage and maintenance to understand the broad range of what "security" means. Those organizations that actively plan to address all aspects, including end-user awareness training, will be much more successful in providing a secure application.

Techniques for secure applications

Security awareness training: How to educate employees about spyware

Traversal attacks: How to secure against them

New exploits demand multi-layer threat protection

About the author: Ken Salchow has been employed by F5 Networks Inc. for the past six years where he has served in several capacities. He has a bachelor's degree in information technology from Minnesota School of Business, numerous industry certifications ranging from networking to forensic examination and nearly 20 years of practical enterprise information systems experience. In addition, he is the owner/operator of Binary Forensics LLC, a boutique computer forensics lab serving the legal community in criminal and civil litigation.

Reader Feedback: Share your comments on this article
This was last published in August 2006

Dig Deeper on Building security into the SDLC (Software development life cycle)

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.