We’re designing an experience that enables contributors to commit their most secure work and to defend what they have in production. This is done by merging security into the DevOps process, giving development teams more ownership, commonly referred to as DevSecOps. The experience brings cross-functional stakeholders together to make better, faster, and more security-oriented decisions. We are doing this by focusing the experience on automation, education, empowerment, and shifting security to the left.
Automation relates to convention over configuration that helps draw a clear path for the user to produce meaningful results. When it comes to web security, no application will ever be 100% secure. That’s why we are focused on integrating automation into every step of the user’s journey, taking the guesswork out of configuration to open up more time on what’s important: resolving known vulnerabilities and identifying attacks or threats.
Education for our users so they understand security basics and are aware of security needs in their applications. We want our users to know where vulnerabilities or threats have been detected, visualize the implications, present resources to understand the problem, and provide the tools to facilitate informed decisions about next steps.
Empowerment for all users to resolve security issues is essential as cross-functional departments share ownership of security. Our tools strive for an experience where the developer is responsible and the security team is accountable for the organization's security.
Shifting left is taking things like QA and other processes typically found later in the ops cycle and moving them to development. Resulting in security problems being addressed early and more often.
Organizations of all sizes benefit from our tools and the experience of bringing teams together. We provide customers value with workflow efficiency, informed team decision-making, lower risk of security breaches, and attaining compliance requirements. We focus on all aspects of the product — starting with the customer experience. When deciding to use our tools, organizations are often considering the following:
We follow the GitLab workflow with additional dates and actions that directly tie to our work.
M-1, 4th(at least 14 days before milestone
M-1, 13th(at least 5 days before milestone
M-1, 17th(at least 1 day before milestone
M-1, 18th(or next business day, milestone
mbegins): Kick off! 📣
Part of our milestone planning activities include factoring in the amount of effort required for each assigned issue. We use the following scale:
|Trivial||1||Mostly small to medium UI changes, smaller UX improvements, without unanswered questions. UX may need to stay involved with the issue but might not have to do work.|
|Small||2||Simple UI or UX change where we understand all of the requirements, but may need to find solutions to known questions/problems.|
|Medium||3||A medium change (lots of UI or UX changes/improvements required). Multiple pages are involved, we're starting to design/redesign small flows. Some unknown questions may arise during the work.|
|Large||5||A complicated change where other team members will need to be involved. Spans across multiple pages, we're working on medium-sized flows. There are significant open questions that need to be answered.|
|Huge||8||A complex change that spans across large flows and may require input from other designers. This is the largest flow design/redesign that we would take on in a single milestone.|
|Gigantic||13||A significant change that spans across multiple flows and that would require significant input from others (teams, team members, user feedback) and there are many unknown unknowns. It's unlikely we would commit to this in a milestone, and the preference would be to further clarify requirements and/or break in to smaller issues.|
The Secure and Defend UX teams are working together to uncover customers core needs, what our users’ workflows looks like, and defining how we can make our users tasks easier. Our strategy involves the following actions:
Additionally, we value the following:
The source of truth lives with shipped features, therefore we:
Our Secure and Defend UX YouTube channel includes UX Scorecard walkthroughs, UX reviews, group feedback sessions, team meetings, and more.