Skip to content

JTBD Validation: Static Analysis Group

Overview

I worked with @tmccaslin on coming up with a list of JTBD for the Static Analysis group. Now we need to a) validate them with our target personas and b) make sure we're not missing any.

JTBDs (current list)

Top level JTBDs
  • I want to ensure I’m not creating security issues with my changes
  • I want to understand why something is considered a security issue
  • I want to know what to do to remediate a security issue I introduced
Sub JTBDs

General:

  • When committing changes to my project, I want to be made aware if I am adding risk through vulnerable code, so that I know my changes can be merged without increasing the risk of my project. (Secure JTBD; not group-specific)

Discovery:

  • When security features are updated I want to know about it so that I can ensure that my org's security plan stays up to date. Note: Determined out of scope

Initial scanner setup & configuration:

  • When I'm enabling SAST, I want the ability to configure the analyzers in a way that works best for our org, so that we don't waste any time sorting through invaluable vulnerability findings.
  • When the SAST configuration is changed by someone in my org, I want to see what changed, when it was changed, and who changed it, so that it's auditable if I have any questions later on.
  • When I'm creating a new project, I want to understand what the SAST analyzers are doing so that I better understand their vulnerability findings.

Daily use/ Maintenance

  • When I've done custom configuration to my scanner, I want it to always work so I'm always getting successful security scans on my code.
  • When I want to leverage a GitLab Secure capability, I want to understand how ci files work so that I don't break my security scanners.

Vulnerability Management:

  • When vulnerabilities are detected in my code, I want GitLab to help me find a solution, so that I don't waste time trying to figure it out on my own and risk being wrong. (Primary)
  • When vulnerabilities are detected in my code, I want to know that they're relevant and accurate so that I don't waste time looking into false positives. (Secondary)
  • When security vulnerabilities are found, I want to focus on high risk ones so that I can prioritize my time and effort on finding solutions. (Secondary)
  • When vulnerabilities are detected in my code that I can't solve on my own, I want to get input from my team so we can successfully address the vulnerability. (Secondary)
  • When I'm viewing a list of vulnerabilities across the project, I want to know that they're being handled in a timely manner so that our application stays protected at all times. (Secondary)

Next steps:

  • Complete discussion guide (Covers both personas, Sasha, Software Developer, and Sam, Security Analyst)

  • Complete a screener (Google docs template | Qualtrics final screener)

  • Create recruiting request: https://gitlab.com/gitlab-org/ux-research/-/issues/878

  • Have conversations with 8-10 people (4-5 devs, 4-5 security analysts) at least 6 participants who fit the persona profile

    • Understand what they do, what their job entails, what their tasks are, then validate specific tasks from Mural if they don't come up ("Is this something that you do?").
    • Validate the tasks, and then map that back to JTBD
    • (Last 15 min: Here are all the tasks I have jotted down. See if any are missing and then rank them in order of most important to you.)
    • Don't necessarily need to be GitLab users; we're not asking them about the product, we're asking them about the job. (If we get someone in the study who does use gitlab we may tack that on at the end.)
    • Kickoff with some pilot sessions with security team internally: 30 min task validation/ 30 min tool walkthroughs (pain points, likes)

  • Consider whether any JTBD should be rewritten or new ones added.

  • Share research results with Taylor for feedback; make changes, if any

  • Share research results with Secure team (PMs, devs, designers, researchers, managers)

Warmup sessions (with internal security team)

Date Time Participant's team
May 21, 2020 12:30-1:30 CT James Johnson (Staff Security Engineer, Vulnerability Research)
May 22, 2020 9:30am-10:30am CT Jayson Salazar (Senior Security Engineer, SecOps)
May 22, 2020 10:30am-11:30am CT Dennis Appelt (Staff Security Engineer, Security Research)
May 26, 2020 2pm-3pm CT Steve Manzuik (Manager, Red team)

External user interviews

Participants

Name Scheduled Status
David Berish Monday June 29, 8am PDT Completed
Vijit Mishra Monday June 29, 4pm PDT No show
Wes Cole Tuesday June 30, 8am PDT Completed
Gabriel Maldonado Friday July 3, 2pm PDT Completed
Stan Zajdel Thursday July 2, 3pm PDT Completed
Nanda Kumar Friday July 3, 8am PDT Friday, July 10, 8am PDT Completed
Hema Kumar Friday, July 3, 12pm PDT Friday, July 10, 12pm PDT No show
Juliano Macedo Thursday July 16, 1pm PDT Completed

cc @loriewhitaker @tlavi @tmccaslin @vkarnes

Edited by Becka Lippert