I spent the better part of last week with a few of my 3Pillar colleagues in Las Vegas at the annual Black Hat security conference. What happens in Vegas may stay in Vegas, but I’ve always been a bit of a contrarian. That being the case, I wanted to share a few observations from my first time at Black Hat that others in the application security space may find insightful.
An effective user experience is necessary for any security product to be successful in a market that sees the number of vendors rapidly multiply each year. This is a thread that was echoed in a number of talks, including from 3Pillar’s own CTO Jonathan Rivers.
A couple of simple examples illustrate how untreated UX failures can have negative consequences on application security.
Take the dreaded mandatory annual security training. If an employee is bored and disinterested, then they will avoid the training as long as humanly possible, and when they finally cannot avoid it anymore, they will do the absolute minimum to check the compliance box. The structure of the training is important, but so is how it is presented. User research, prototyping, and analytics are all critical to building something that people actually want to use. When they want to use it, they will engage with the content and actually get something from the experience.
Similarly, UX plays an essential part in making security operations teams effective. Operations teams are bombarded with a constant flow of information, much of it background noise. An effective UX reduces the chance of missing that critical alert. It’s not just about getting the right information, it’s about presenting it in an effective way that is usable in the moment.
In addition to the UX focus, one of my favorite parts of Black Hat was getting the opportunity to hear about tools that can be used to build solid, secure applications.
If you’re looking to add new tools to your security repertoire, here are a couple I was impressed with that you may also want to check out:
Both tools and vendors are on Gartner’s 2018 Magic Quadrant for Application Security Testing and are good, solid choices.
From an application build perspective, the best product was clearly Jscrambler.
Jscrambler can be added to your CI pipeline (think Jenkins) as part of your build or deployment actions. Licensing is a little strange, but persevere. It’s worth it.
If you like this Black Hat recap, help us spread the word about it via the Better Click to Tweet feature or the social media icons at the bottom of the post.Couldn't make it to #BlackHat? Scott Young has you covered. See why he came away recommending @Veracode and @Checkmarx to build more secure #software + why he thought @JScrambler was best in show for application build tools. Click To Tweet