Gitlab hero border pattern left svg Gitlab hero border pattern right svg

Secure UX

On this page


We’re designing an experience that enables contributors to commit their most secure work. This is done by merging security into the DevOps process, giving development teams more ownership, commonly referred to as DevSecOps. The experience brings cross-functional stakeholders together to make better, faster, and more secure-oriented decisions. We are doing this by focusing the experience on automation, education, empowerment, and shifting security to the left.

Automation relates to convention over configuration that helps draw a clear path for the user to produce meaningful results. When it comes to web security, no application will ever be 100% secure. That’s why we are focused on integrating automation into every step of the user’s journey, taking the guesswork out of configuration to open up more time on what’s important: resolving vulnerabilities.

Education for our users so they understand security basics and are aware of security needs in their applications. We want our users to know where vulnerabilities have been detected, visualize the implications, present resources to understand the problem, and provide the tools to facilitate informed decisions about next steps.

Empowerment for all users to resolve security issues is essential as cross-functional departments share ownership of security. Our tools strive for an experience where the developer is responsible and the security team is accountable for the organization's security.

Shifting left is taking things like QA and other processes typically found later in the ops cycle and moving them to development. Resulting in security problems being addressed early and often.

Our customer

Organizations of all sizes benefit from our tool and the experience of bringing teams together. We provide customers value with workflow efficiency, informed team decision-making, lower risk of security breaches, and attaining compliance requirements. We focus on all aspects of the product — starting with the customer experience. When deciding to use our tool, organizations are often considering the following:

Our user

We have different user types we consider in our experience design effort. Even when a user has the same title, their responsibilities may vary by organization size, department, org structure, and role. Here are some of the people we are serving:

Generally, developers are the users of the vulnerability reports in the MR/pipeline while security professionals are the users of the Security Dashboards.

Our baseline experience

Primary Jobs to be done (JTBD)

Our team

Our team continues to grow. We currently have 7 members that contribute to Secure UX efforts:

Our team meetings:

Our Structure

We've divided the Secure stage into dedicated experience groups to align with a similar split undertaken by our engineering and PM counterparts.

Static and Dynamic Testing

Experience Group Features Designer(s)
Security Testing SAST, IAST, DAST, Fuzzing, Container Scanning, Secret Detection Camellia Yang
Code Scanning Scanning in Web IDE, MR Security Report, DevSec Code Review, Dependency Scanning Annabel Dunstone Gray

Software Composition Analysis

Experience Group Features Designer(s)
Compliance & Auditing License Check, Security Gates, License Compliance, Bill of Materials, Auto-Remediate, Dependency Scanning Kyle Mann
Audits & Policy Enforcement Audit reports, SLAs, Risk Acceptance, Policy Enforcement TBD - we're hiring!

The Secure & Defend UX teams work closely together and have shared coverage in the following areas:

This segmentation gives us a better opportunity to:

How we work

Labels we use

We created 3 scoped labels to help us identify which experience group a particular issue falls into and which designer should be subsequently assigned.

Secure UX::Shared

Secure UX::Security Testing & Scanning

Secure UX::Compliance & Auditing

Meetings we host

We host a recurring 30-minute open meeting every week to discuss topics relevant to Secure design, UX, and research. Some example topics could include:

Some topics are better suited for a dedicated meeting, and should be created on an as-needed basis:

Planning and grooming

Secure UX has a separate grooming session which takes place during the planning phase of a milestone. During grooming, we add the proper label to all issues requiring UX support.

Read more about how we've created these dedicated experience groups here.

Our strategy

The Secure UX team is working together to uncover customers core needs, what our users’ workflows looks like, and defining how we can make our users tasks easier. Our strategy involves the following actions:

Additionally, we value the following:

The source of truth lives with shipped features, therefore we:

Follow our work

Our Secure and Defend UX YouTube channel includes Experience Baseline walkthroughs, UX reviews, group feedback sessions, team meetings, and more.