Gitlab hero border pattern left svg Gitlab hero border pattern right svg

Secure UX

Overview

We’re designing an experience that enables contributors to commit their most secure work. This is done by merging security into the DevOps process, giving development teams more ownership, commonly referred to as DevSecOps. The experience brings cross-functional stakeholders together to make better, faster, and more secure-oriented decisions. We are doing this by focusing the experience on automation, education, empowerment, and shifting security to the left.

Automation relates to convention over configuration that helps draw a clear path for the user to produce meaningful results. When it comes to web security, no application will ever be 100% secure. That’s why we are focused on integrating automation into every step of the user’s journey, taking the guesswork out of configuration to open up more time on what’s important: resolving vulnerabilities.

Education for our users so they understand security basics and are aware of security needs in their applications. We want our users to know where vulnerabilities have been detected, visualize the implications, present resources to understand the problem, and provide the tools to facilitate informed decisions about next steps.

Empowerment for all users to resolve security issues is essential as cross-functional departments share ownership of security. Our tools strive for an experience where the developer is responsible and the security team is accountable for the organization's security.

Shifting left is taking things like QA and other processes typically found later in the ops cycle and moving them to development. Resulting in security problems being addressed early and often.

Our customer

Organizations of all sizes benefit from our tool and the experience of bringing teams together. We provide customers value with workflow efficiency, informed team decision-making, lower risk of security breaches, and attaining compliance requirements. We focus on all aspects of the product — starting with the customer experience. When deciding to use our tool, organizations are often considering the following:

Our user

We have different user types we consider in our experience design effort. Even when a user has the same title, their responsibilities may vary by organization size, department, org structure, and role. Here are some of the people we are serving:

Generally, developers are the users of the vulnerability reports in the MR/pipeline while security professionals are the users of the Security Dashboards.

Our baseline experience

Primary Jobs to be done (JTBD)

Our team

Our team continues to grow. We currently have 6 members that contribute to Secure UX efforts:

Our team meetings:

Our Structure

We've divided the Secure stage into dedicated experience groups to align with a similar split undertaken by our engineering and PM counterparts.

Experience Group Security Scanning & Testing Compliance & Auditing Vulnerability Management Status, Reporting & Metrics IA & Core-functionality
Engineering Group Static & Dynamic Analysis Software Composition Analysis Shared Shared Shared
Dedicated Designer Andy Volpe Kyle Mann Shared Shared Shared

This segmentation gives us a better opportunity to:

Workflow adjustments

Labeling issues

The best way to implement this is through the use of labels. We created 3 scoped labels to help us identify which experience group a particular issue falls into and which designer should be subsequently assigned.

Secure UX::Shared

Secure UX::Security Testing & Scanning

Secure UX::Compliance & Auditing

Grooming, planning, and assignments

Secure UX has a separate grooming session which takes place during the planning phase of a milestone. During grooming, we add the proper label to all issues requiring UX support.

Read more about how we've created these dedicated experience groups here.

Our strategy

The Secure UX team is working together to uncover customers core needs, what our users’ workflows looks like, and defining how we can make our users tasks easier. Our strategy involves the following actions:

Additionally, we value the following:

The source of truth lives with shipped features, therefore we: