Microsoft used to be a horrid company with regards to their security, then they sat down and made security a quality gate – we do not ship if security is wrong. How do they know what is wrong? A 24 page guideline with 68 bullet points?! Perfect holiday reading
The security development lifecycle team has recently tried to help us developers improve our applications so we not the next company with a bad security issues with two acronyms which will improve security notices to our users: NEAT & SPRUCE
What is NEAT?
- N: Necessary – Only show messages that you need. If you can take a safe action automatically or defer the message, do that!
- E: Explained – If you do interrupt the user, explain in everything to the user. EVERYTHING?! Yes, and the SPRUCE acronym will help explain what everything is.
- A: Actionable – A message should only be presented to the user if there is steps the user can take to make the right decision.
- T: Tested – A security message needs to be tested. TDD, Usability Testing, Visual Inspection, every test.
So, we need to show the message now – what do we put in there? SPRUCE:
- S: Source – Why are we showing this message? Did a website do something or a file or a user action? Tell the user.
- P: Process – Give the user the steps they need to go through to make sure they make the right decision.
- R: Risk – Explain what the consequences of getting the decision wrong.
- U: Unique – If your software knows everything, do the right thing automatically. So if you are showing the message, it means the user has unique information that is needed to make the decision. Explain what information is needed (slightly similar to P).
- C: Choices – Show the user all the options and recommend the safer one.
- E: Evidence – Provide any additional information that the user may need to make the decision.
Now that the training is done, let’s look at real implementations:
A web page contains secure & nonsecure content
Here is what the dialog looked like in the bad old days of IE6:
In IE 9 where this logic has been applied:
Let’s look at the differences:
- N (Necessary) has been applied – previously this was a blocking model UI, which the user was forced to deal with to continue working. Today it shows discreetly with at the bottom and only if the user needs to work with this they have to, otherwise ignoring it.
- E (Explained) has had been done with the What’s the risk? – which shows the dialog below. It is not perfect as it hasn't followed SPRUCE fully but it is a good improvement.
- A (Actionable) has been applied – previously you had both a yes & no, now we have one action that can be done. Close or ignore and nothing happens.
- T (Tested) there is some weird language issues with the old one especially if English isn’t your primary language because of the yes/no not being perfectly clear. The new dialog has a single very clear labelled button!
Now that we have looked at how it can help you and how to do it, attached is a nice simple 3 page document with more details and reminders about this. GO IMPROVE YOUR APPLICATIONS!