Thanks for visiting. Questions or thoughts? drop me a note.
See home page or view next case study: security dashboard.
GitLab is an open-core single application serving development and operations teams in software development. I served as a senior product designer on the Secure and Protect UX team, where I focused on designing an experience that enables contributors and teams to commit their most secure work and to defend what they have in production. I lead design on the auto-remediation feature, which is a web security feature with the long-term objective: fix security vulnerabilities in production automatically without human involvement. The users are: 1) developers, who are responsible for committing secure code; and 2) security professionals, who are accountable for an organization's application security.
Why is this valuable to customers? Thinking big: auto-remediation removes the guesswork of identifying and fixing known vulnerabilities by the system automating the workflow. The key innovation: fixes are applied to production code while the customer sleeps. This customer value gives time back to their teams and ensures a more efficient application security workflow. It’s not just the time saved fixing vulnerabilities, it’s also the time saved investigating the detected vulnerabilities. When it comes to web security, no application will ever be 100% secure. That’s why our team’s core focus is: integrating automation into every step of the user’s workflow, facilitating improved decision-making, and helping users understand their risk.
My role and objective: 1) identify customer value, 2) ensure consistent user experience across multiple scanners/languages, and 3) define and prioritize iterative steps toward automating the user’s workflow.
Leading a cross-functional discovery with a backend and front-end engineer. My first step: audit the existing user experience baseline. The findings included: 1) burdensome and time consuming manual remediation process on the user, 2) suggestions existed but were not being communicated to the user in the security dashboard or 3) the merge request when new vulnerabilities were committed.
Then, I started identifying what was on the horizon: supported languages, scanner vulnerability findings, and related solution/fixes database capabilities. Today, customers can use the feature for dependencies detected in a project and in the future for application containers (such as Docker). This foundational technical understanding outlined the dependencies we’d need to consider as we evolved, such as configuration requirements, outlining areas of divergence and opportunities for consistency in the experience. With an understanding of our long-term customer value goals, current UX, and engineering capabilities - I dove into the ideation and focused on the following questions to explore:
Based on the long term goal to automate fixes: broke down the objective into focused iterations:
Focusing on step one, the minimal viable change goals:
My ideation moved fast to get early feedback and shared learning. The first iteration review focused on the settings, configuration, and creation of the auto-created merge request. This surfaced the following findings, learnings, decisions needs, and questions:
Following my learnings from the kickoff ideation: the second turn focused on the user questions, promoting user-awareness of suggested solutions, related workflows of the problem-solution vulnerabilities. The findings, learnings, and questions:
Weighing the tradoffs, we commited our decisions and concluded with a discovery outcome report outlining a path forward including implementation to production, user research, and a follow up discovery. These steps optimized for delivery by: prioritizing the backend work while in tandem prototyping our workflow and getting it in front of customers for actionable feedback. For user testing, we wanted to answer the following:
I organized a research study and prototyped the workflow. Collaborating with our user research team: I prioritized a test script, recruited customers, and setup interviews. I found the following positive key insights: 1) users understood the communication about fixes, 2) learnability was validated when landing on the merge request list (per labeling), 3) the setup process was clear, in terms of configuration requirements, and 4) we observed 4 of 5 navigated to Security & Compliance section when tasked with finding the option to enable the auto-fix feature.
The insight that required action to improve: customers prefer that auto-created merge requests not be under a certain project user. Example: 4 of 5 participants said they'd rather and expected the author was the system or "bot". 2 participants said they might add a different project participant prior to enabling this feature. We already knew the major downside was that the feature was not out-of-the-box (and would require rework). But also, if users added another user to a project this would create the additional problem of an added seat - that is since the feature is for ultimate tier members, it would add additional cost to the account. We conducted a design and engineering discovery to look out how the following:
Partnering with engineering on a solution validation discovery, the results were: introduce a GitLab-Security-Bot user in the initial implementation. This solution was ideal given it 1) made the feature out-of-the-box ready, 2) low-cost, 3) works for on-premise and SaaS customers, 4) displayed and kept records of system actions, was 5) approved by the security team.
As with all iterative software: the story is never done, we keep iterating! Today, the team is releasing the above workflows to automatically create merge requests. Next areas of focus related to this feature are:
The source of truth lives in production. It started with an idea, then trial-and-error discovery, then prototype, then testing, then engineering, and now with users. I’m inspired by evolving the feature with the team and the continuous iterations toward automation.
Thanks for visiting. Questions or thoughts? drop me a note.
See home page or view next case study: security dashboard.