Design isn’t just about making websites and applications look nice; it is also ensuring they are functional, practical, and safe. Whenever you complete a design project, you should always place emphasis on the security of your finished product. Fortunately, the Open Web Application Security Project (OWASP) has compiled a top-10 list of critical (and common) security risks in web applications, and paying close attention to this list can help designers be more secure in their designs. Not all the items on the list pertain to design and usability, but here are the most important issues designers should remember:
Insufficient Attack Protection
Although not an item on the most recent OWASP list, insufficient attack protection has featured prominently before and remains an issue that you should be aware of. For example, you should take measures to track and prevent repeated attempts to access an application, which is a strong indication of an attack. Most designers limit login attempts, provide minimally informative error messages, and implant other security measures to protect against this kind of attack.
You should also equip your own devices with maximum internet security, which can prevent your projects from being attacked even before they are released to the public. Insecure apps in the design and development phase have been infiltrated before, and you don’t want to encourage use of a compromised product.
Injection and Cross-Site Scripting
Injection and cross-site scripting (XSS) are two-attack techniques that take advantage of poor design. The former is using an otherwise innocent text field, like a form, to enter malevolent code, and the latter is an injection attack that utilizes vulnerabilities in user-entered content.
Today, the attacks seem relatively simplistic — they are easy to execute and equally easy to guard against — but that shouldn’t allow you to forget about them. The best solution is limiting the characters in a field, both by length and necessity. For example, it’s unlikely that an address field needs special characters like, “$*&@^%#,” and they usually need fewer than 35 characters total. These limitations largely prevent effective attacks.
Broken Authentication and Session Management
You should always be concerned that users are who they say they are. For most projects, authentication will always be a headache because the human brain is not adept at memorizing meaningless codes or strings of characters necessary for true security. As a result, passwords and encryption keys become weak, shared, or otherwise easily crack-able, and your application becomes insecure.
It is important to test, retest, and pay attention to username and password creation and management methods. You shouldn’t be experimenting with these pages; instead, you should try your hardest to make these security measures as familiar and practical as possible. This means following guidelines on designs for authentication as well as supporting users in password generation, storage, and retrieval. You should also enable features necessary for the use of password safes or management tools, which allow users to create strong, uncrackable passwords without remembering them.
Broken Access Control
There should be plenty of pages and tools most users will never see, but if you are lax about security by design, your access control might become broken, giving any hacker a look at sensitive information. You should be careful to clear out old, defunct webpages and monitor drop-down menus for unwanted user options. To ensure your access control remains intact, you should work closely with user experience professionals to understand user flows and paths. Additionally, you should consider your URL structure, which might give clues that help hackers manipulate the pattern to gain access.
Users often make security mistakes because this misunderstand or fail to care about security. You can help your users configure security appropriately through your design. First, you should provide safe default settings your users can rely on, including shipping with strong passwords — which has recently been a notorious issue with IoT devices. You should also pay attention to the wording used in error messages, so users do not dismiss the warning without reading or comprehending the issue.
Finally, you might consider adding automatic scanning for security misconfigurations. Then, you can alert users to insecure settings and encourage users to make necessary updates. Major websites, including Facebook, Twitter, and Google, periodically urge users to review permissions and backup authentication credentials. You can use these sites as examples for your strong, secure design.