Chris Shiflett, our CTO, went intercontinental in February and March 2009 to give well-received talks at two PHP-centric conferences for developers (including the closing keynote in Québec). His focus was a fresh approach to an old topic: web application security. Moving beyond the basics, Chris — who is the author of O’Reilly’s Essential PHP Security — inspired his audiences to consider the bigger picture and learn to develop secure (and superior) user experiences by considering both technical and social aspects of security.
Developers have wrangled with the technical side of security for years, and at this point, the typical security lapse is almost always a case of “pilot error.” At both PHP Québec and PHP UK Conference 2009 Chris widened the aperture to reveal security problems that aren’t simply technical vulnerabilities. By stepping back and acknowledging that working with PHP brings social implications and weaknesses, too, we’ll find there’s much we can do to engage or reassure users.
Businesses are beginning to fully grasp that the user experience is key to the success of a web site or application, and PHP plays a role — particularly in the areas of user behavior, credibility, and the user’s perception of security.
Perception can be as important as reality. Chris linked this to his interest in cognitive psychology, including change “blindness” and ambient signifiers, and used real-life examples that clearly demonstrate the profound impact human behavior can have on an organization’s security. For example, you may give users the perception that their choices on a site are private. If they discover that their private information actually can be accessed — not along obvious user paths but through searches — their perception of the company takes a hit. He also ventured into password anti-patterns, and took the audience on a tour of usability-related security problems at well-known sites.
Slides from his talk Security-Centered Design are available. Look, too, for his blog post on one case where he underscores that this isn’t an either/or situation, social versus technical. PHP should be technically correct and enhance the user experience.
As one London audience member said of his talk, Security-Centered Design: Exploring the Impact of Human Behavior:
…offered some new and interesting perspectives.…Full of quick-witted humor and obvious intelligence. By far the best talk of the conference.
The response from the PHP Québec audience was equally enthusiastic. Twitter comments on his London talk included “very interesting, mind boggling and entertaining,” “not the usual security talk, which is what made it interesting. It was the highlight of the conference for me,” “very inspiring,” and — especially intriguing for those of us who didn’t attend — “Thanks for the great talk, the cow paths idea will stick with me.”