How to use Behavior-Driven Development (BDD) to design software with villains in mind

Or "How to design software with evil villains in mind"

As software developers and development leaders, we strive to create software that's not only functional but also secure. We work hard to identify potential cyber security risks and vulnerabilities and implement preventive measures. But despite our best efforts, some individuals will always seek to exploit any weaknesses in our software. That's where the concept of cyber security personas comes in.

Cyber security personas make the risk personal

A cyber security persona is a fictional character created to represent a potential attacker or misuser of your software. Much like a traditional software persona, they are a way to communicate a profile and behaviors across your team consistently and are a tool for design, development, and testing.

By thinking like a potential villain, you can better anticipate and prepare for their possible attacks. This approach lets you design your software with cyber security in mind from the outset rather than trying to bolt it on afterward.

Creating cyber security personas involves thinking about who might want to attack or misuse your software and their motivations. 

For example, if you're building an online banking application, you may have cyber security personas with many different profiles, such as:

  • A fraudster who wants to steal users' financial information

  • A malicious insider who has access to sensitive data and wants to exploit it for personal gain

  • A political campaigner who wants to disrupt the bank's services to reinforce their political message

When personas meet behaviors

While a persona will capture the profile of a person or group, they don't define or communicate their behaviors. We can build on our cyber security personas using Behavior-Driven Development (BDD) techniques to capture potential misuse cases. 

BDD is a software development methodology that defines and tests software behavior from the user's perspective. By using BDD to capture misuse cases, you can better understand how potential attackers might exploit your software.

This moves our cyber security conversation from "a malicious insider wants to steal our information" to "a malicious insider will take the following steps, using the following resources to steal x type of specific information." As we move from personas to BDD, we make the threat more specific — which creates clearer cyber security requirements.

Getting started with BDD for cyber security personas

To capture misuse cases using BDD, start by defining the desired behavior of your software. This might involve creating user stories or scenarios that describe how your software should function. Then, think about how each cyber security persona might attempt to exploit or misuse your software in ways contrary to the desired behavior. 

For example, a fraudster might attempt to access another user's account or steal financial information, while a malicious insider might attempt to access data they're not authorized to view. These new personas and misuse cases can help you to develop more robust testing scenarios, helping you identify and fix potential cyber security vulnerabilities before they can be exploited.

Cyber security by design means designing for misuse

We can all agree that designing software with cyber security in mind is critical in today's world. By creating cyber security personas and using BDD to capture potential misuse cases, you can better understand how your software might be exploited and design it to resist possible attacks. 

By taking these steps, you can develop functional and secure software, giving your users the peace of mind they need to trust your application with their sensitive data. Best of all, these approaches make cyber security much more human and relatable, encouraging the wider team to get involved to help make your applications and software a little more secure.

Previous
Previous

How ChatGPT impacts cyber security and how to get your team safely started with it 

Next
Next

The role of product management in cyber security