Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Secure Stage / 15 May 2020
GitLab / Secure Stage / 15 May 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Secure UX issue: show on group security dashboard when security tests are not configured

Description

reviewing issue: https://gitlab.com/gitlab-org/gitlab/-/issues/13298
0:00 - 2:15 context and problem overview
2:15 - 3:45 proposal review
3:45 next questions/considerations

A

Hi, I'm kyle from the secure UX team and today we're reviewing a narration to help with the following. Let's outline the problem, when looking at the group dashboard, it's unclear what projects are being tested or not being tested. Additionally, some of the data reported in the screen- we're looking at now may be out of date due to pipeline failures or having not run for a certain time, also as an information design, fundamental sighting, the data source of the data being displayed is crucial, such as the time.

A

So in our case, the latest successful pipeline runs from project and then the source. What are the projects that were getting this data from these citations are not noted in the UI. A few other notable issues are projects intended to be tested, but are not being tested or worse than a vulnerability.

A

It's a sort of vulnerability in itself as a project as there are no scans to document the vulnerabilities in that project for a user know where testing is taking place, there's also no easy way to do this other than going from project to project which would be burdensome for larger customers, though the testing status is shown on the configuration page, which is at the project level, and this is a step forward at the project level, to help with that problem. Something I note on this page. Is we see the scans available to the user?

A

If the project UI and what's nice about this, is they have understanding of how their project quickly have understanding how their project set up with security scans and as we roll out new features? This also helps promote them and make them visible to the user. So some things that we may see here soon are some examples of that status to help them know and then also to promote it. Our secret detection for scanning and suggested solutions, feature and security gates activation.

A

Just a few examples of what we could have here, too, promote those things and to give status so going to the original problem on the group dashboard. Taking a look at the proposed solution here, we're looking at the layout and where this would live, which is down here in the aside. Taking a closer look at the society.

A

We see projects that are being skinned here in this first tab, citing the data source of the vulnerabilities list for the more work organizing them by when the scan was last successfully made so showing the displayed within the last five days, if more, fifteen thirty or sixty or more days with the projects with the most delayed scans, showing at the top. Since these need the most attention, because it could be a failed pipeline or the source of putting old data on the screen in the next tab.

A

We display projects that are not yet enabled, with security scans, helpful starting point for a user wanting to apply scans across projects. So they can just see an immediate sort of to-do list here and they can jump to these projects and I had the security jobs. As they see fit, and then it's sort of a living breathing audit list here of what projects do or don't have testing, so we don't put that burden on the user.

A

Some follow-up considerations to this could be specifying the exact scan type that's being referred to and the early embassy we scoped it down to just showing if one of the four scanners I'm omitting license scanning since that doesn't display information in the dashboard. So if one or the four of them are configured, then that is that constitutes for testing. So follow-up Federation could be step further, specifying that so the user knows maybe it's two or four or whatnot.

A

So it's a little bit easier to audit what projects have what and also it may be helpful to further show what projects have our vulnerability check feature again, something that could promote the future, we're looking at adding that to the project level, but if it was also visible in something like this area or elsewhere at the group dashboard, the customers could have an understanding of where that check is applied and also again going back to promoting that. That feature exists that they can use it, so it's promoted in the UI that way. Okay!

A

Well, thanks for watching added the related issues to the descriptions for any thoughts or feedback, I would love to hear from you and yeah. Thank you.