Skip to content

Secure - Audit of scanner configuration UI

️ Summary

As part of Secure: Scan Configuration Evaluation, we are performing an audit of the various states and UI patterns for every security scanner with a configuration interface. The goal of the audit is to identify patterns and inconsistencies and create recommendations focused on improving consistency and learnability between the scanners.

This audit includes the following scanners:

  1. SAST
  2. DAST CI/CD
  3. DAST on-demand
  4. Dependency scanning (minimal UI)
  5. Secret detection (minimal UI)
  6. API fuzzing

📋 Plan

  • Evaluate the configuration process for each scanner and document existing workflows (user flows)
  • Capture screenshots of each configuration interface including all possible states
  • Perform audit of all screenshots and workflows to identify patterns and inconsistencies
  • Document findings in an easy to digest way and share with the broader secure team
  • Review any new or upcoming configuration changes for each scanner and note anything that deviates from the audit findings and/or adjust findings accordingly

Audit capture progress: 7/7

This section will be used to track the progress for auditing each scanner.

Scanner Audit Issue Status
SAST #342661 (closed) Complete
DAST CI/CD #342739 (closed) Complete
DAST on-demand #342740 (closed) Complete
Dependency scanning #342737 (closed) Complete
Secret detection #342741 (closed) Complete
API fuzzing #342742 (closed) Complete
Synthesize results of audit and generate findings/recommendations #343054 (closed) Complete

Related issues

  1. Addition of IaC security scanning
    1. Enable via Configure via MR action on security configuration page; follows same config pattern as Dependency Scanning and Secret Detection
  2. On-demand/continuous fuzzing (coverage & api) (epic)
    1. The boring solution of continuous fuzz design
    2. discoverability for on-demand continues fuzz scan
  3. Fuzz testing corpus configuration and management (epic)

🥅 Goal

  • Document the workflows, patterns, and inconsistencies found across the configuration UI for each scanner
  • Create actionable insights and/or recommendations that are focused on improving consistency and learnability across the scanners.

Recommendations

Consistency

  1. Improve workflow consistency when enabling a security tool
  2. Align core concepts and design patterns used throughout the secure configuration area (tool configuration)
  3. Add better error handling and field validation throughout the secure configuration area (tool configuration)

Learnability

  1. Explore how we might introduce the high-level concepts of application security and how it works at GitLab throughout the UI and/or documentation
  2. Explore how we might empower users to better understand unfamiliar configuration options when enabling a security tool

Workflow

  1. Explore how we might guide users through the entire configuration workflow for a security tool
  2. Explore how we might make it easier to discover which security tools are enabled for a given project
  3. Explore how we might allow users to test and validate security tool configurations before introducing them into their development workflow
  4. Display the current configuration parameters when a security tool is in use
Edited by Michael Fangman