Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Secure Stage / 27 Oct 2020
GitLab / Secure Stage / 27 Oct 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: UX Showcase - DAST scan site validation

Description

No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).

A

Hey I'm annabelle gray and I'm a product designer for secure, dynamic analysis and in this uh showcase I'm going to talk about desk and site validation.

A

Das stands for dynamic application security testing, it analyzes your running web application for known runtime vulnerabilities within gitlab. It runs, live attacks against a review app, which is created for every word request as part of gitlab's ci cd capabilities users can provide http credentials to test private areas. Vulnerabilities are shown in line with every merge request in addition to those desk scans. We also have on-demand desk scans and the job to be done, for that is.

A

As a security analyst, I would like to be able to scan my site or application for das vulnerabilities without having to create a merge request and to and trigger a pipeline to run so that I can reproduce and evaluate vulnerabilities on demand, and this is more similar to what you'd expect from another das tool.

A

It would run a scan against a live website, um perhaps on a schedule or just at any time that you want an on-demand deskton is comprised of a scanner profile and a site profile, and this is this is where uh my issue takes place within site profiles. So the mvc looks like this and it's uh you add a profile name, you choose your site type target site and then you've got this validation, toggle validating your website means that you can run active scans against it. So you can actively attack your website for known vulnerabilities.

A

Active scans like this, can slow down a website or take it down completely. So it's something that you want to be careful doing. You probably don't want to run it on production, or only do it at specific times, and we want to make sure that if you're going to use gitlab's dash tool to run an active scan that you actually own that website and you're, not just attacking other websites.

A

So in order to ensure that you do own that website, we offer these methods. You can choose a validation method, for example, meta tag. Validation. You add that to your website, push that to production and then confirm the location and validate once that has been confirmed. You can go ahead and run your active scans against that website.

A

In the current design, this toggle does a couple of things: it you, you click that and then you can see this form show up, but before that it's um it's triggering a request in the background to check, if that url has already been validated if it hasn't been validated, this appears just as it is shown right here. If it hasn't validated, it shows a banner and says your site's been validated. You can run active scans, so within the entire site profile form it's doing three things you create your overall site profile.

A

You're also checking the status of the validation on that url, and you can potentially validate that url all within this one form, so it got it gets a little complicated, but um this flow does work. The reason I open the issue to begin with is just because I thought that it should be a checkbox instead of a toggle based on our docs.

A

A toggle should be used when the results are effective, noticeable immediately and there's no need for user to click a submit button because it confuses users and dilutes the experience by preventing instant results. So it made sense to use a checkbox, and I thought this would be a relatively quick change and I was so wrong. um So the first solution I came up with was using this checkbox and also keeping all of the options in view at all times, rather than showing and hiding.

A

That was um that immediately came up with so many problems, because at least when we were hiding it originally, we were able to be able to click that send that request to check the status and then populate this with the correct data before you could see it. So, for example, this step three confirm location should match the target type that you put in before.

A

If everything is shown right off the bat we needed to come up with defaults for here and- and here I guess uh which could change depending on when you updated the target site, so that was already kind of a little bit of a weird interaction um there that was yeah one of the problems. Another problem was just that the inputs had to be disabled and enabled at various points throughout the flow.

A

While things were loading or checking or or working through, uh another option I came up with was okay: what if we got rid of the check box and toggle all together, just make it even simpler?

A

um In this case, the background check background check the uh the check to see the validation status would happen when this input loses focus and if it has not been validated previously, then you would follow the same steps if it has been validated on a different profile.

A

You could get that same banner. That says it's validated, but this is where some of the weird experience comes in. If you have validated this url on a different profile, you're not going to see the validation method that you used on that because it doesn't actually matter so we would have to just hide this entire box and it just it might cause some some strange.

A

Strangeness, so, throughout this entire issue, um I was collaborating a lot with the back-end developers and front-end developers and designers and um recorded a number of videos on different concepts and asked questions, and I got so much great feedback.

A

um So after all of my back and forth on this, what I thought was so simple: just you know, sub out a couple things um two themes kind of emerged: one was the tightly coupled.

A

They were too tightly coupled the validation portion and the site profile portion. If we could pull that out, it would make the site profile creation so simple, and then that validated url could be used to cross site profiles with no problems. The other problem or the other theme that came out a lot was revoking that validation, and this is another reason why the toggle and the checkbox weren't great.

A

um They weren't. They don't work as you might expect, because toggling this off or unchecking, it doesn't actually affect the validation once it's already been validated. So at the moment you cannot invalidate it, and I don't know if there's even an issue for that yet so we wanted to incorporate that too. There are lots of use cases for wanting to revoke validation, uh mostly because you might not want certain users actively attacking your website.

A

So the solution that I came up with next was: let's try removing validation from site profiles and the concept I came up with was here's your site profile now and it's exactly as it has been in the past. It just does not include that validation portion, so you would save your profile and you would be dropped onto the manage das scans page, which also already exists, but the difference here is that we've included validate target site button on every single row.

A

In this example, you can see that this row and this one and this one all have the same base domain, which is example1.com if you click validate on the first one you're you're taken to this modal, which looks familiar it's exactly the same as the content from the previous validation section. You follow the steps as usual. You click validate and immediately you see validating on every row that shares that same base.

A

Url um this shouldn't take that long, but at any point you can leave and come back and it should still be validating um once it's finished, it'll just stay validated and every single url or every single profile that uses the space url is validated, and that includes any new profiles you make um and then you'll notice that these have also been changed to revoke validation for those validated urls.

A

If I wanted to revoke that, uh you would click that another modal pops up and I'm thinking it might be useful to know how many other profiles will be affected. If you revoke this validation, we could even list them. If that's helpful, I'll need to check check with the pm and check with some users to find out if that's something they want click revoke, and these are no longer validated and you can go ahead and re-validate them if you want to, but you'll have to start from scratch.

A

So that is the concept I came up with it, it's still being discussed, but it's received mostly positive feedback, because it makes a little bit makes things a little less complicated on the site, profile creation side.

A

I imagine this will be split into at least two iterations one just to take the validation section out of site profiles and put them on the profile, library page and then a whole separate set of issues to get revoke, revoking the validation feature uh into the product as well, and that's that's all I got, and I wanted to thank everyone um that contributed to that issue, especially camellia, paul, phillip, derek and justin, because this was a great example of collaboration, asynchronous collaboration mostly, and I'm really I'm just really excited about where it ended up.

A

So thank you.