UX Audit: DAST on-demand configuration UI

⚡️ Summary

As part of Secure: Scan Configuration Evaluation, we are performing an audit of the states and UI patterns for every security scanner with a configuration interface. The goal of the audit is to identify patterns and inconsistencies and create recommendations focused on improving consistency and learnability between the scanners. This issue is to track and document findings for DAST on-demand configuration.

The parent issue that documents all scanners being audited is linked below:
👉 #340334 (closed)

📋 Plan

Identify relevant JTBD
Evaluate the configuration process and document existing workflows (user flows)
Capture screenshots of the configuration interface including all possible states
Review any new or upcoming configuration changes for on-demand DAST scans and note anything that deviates from the audit findings and/or adjust findings accordingly
Document findings in an easy to digest way

💼 JTBD

When I am configuring a security scan outside of CI/CD, I want to specify which assets need to be scanned and under which circumstances, So that I can ensure my assets are secure in production.
When I am configuring a security scan, I want to specify which types of vulnerabilities the scan should detect, So that we don't waste time sorting through irrelevant findings.
When I am configuring a security scan, I want to specify which types of vulnerabilities the scan should detect, So that we don't waste time sorting through irrelevant findings.

📷 Screenshots

See design section below

🚶 Workflow

🎨 FigJam File

📄 Relevant issues

On-demand

General DAST

Show better error descriptions
Authenticate before running full DAST scan
Profiles
1. "Multi-page" option to Site profile authentication (design complete, implementation planned) 👈 notable design changes
2. "Submit button identifier" option to the Site profile authentication(design complete, implementation planned)
3. DAST Site profile: Header addition redesign (design complete)
4. Reorganize scanner & site profile library (design proposed)
5. Allow user to validate site profile from New on-demand DAST scan page
6. Filter scanner/site profiles
7. Restrict specific profile features to certain access levels
8. Add additional customization options for scanner and site profiles

💡 Findings

Does the DAST on-demand configuration UI address the JTBD?

1 of 3 JTBD can be addressed using the DAST on-demand configuration UI

✓ JTBD 1 is addressed with DAST Site profiles
𐄂 JTBD 2 is partly addressed with DAST Scanner profiles, but doesn't provide users with much granularity. Users can only choose between an active or passive scan. Currently, DAST rules must be configured using CI/CD variables within the .gitlab-ci.yml file. CI/CD Variables are not relevant to on-demand scans
𐄂 JTBD 3 is not directly addressed within the DAST configuration flow. There is no way to run a "demo" scan to validate the configuration from the UI.

Findings unique to DAST on-demand

On-demand scans differ from other scanners because they can be run immediately (after configured) or scheduled for a later date
On-demand scans have a different primary entry point than the other security scanners.
1. Entry point path: Security & Compliance → On-demand Scans [→ New DAST scan]
2. Users can still navigate to the on-demand DAST scan creation UI from the Security & Compliance → Configuration page, but the flow requires a few additional steps.
  - Path is as follows: Security & Compliance → Configuration → Manage [DAST] scans → New DAST scan
The configuration process is closely tied to the DAST CI/CD config process, but requires additional input including a scan name, description (optional), branch, and schedule (optional)
On-demand scans can be saved for reuse (currently there is no option to run a scan without saving it)
Profiles are shared with DAST CI/CD scans (Not really "unique" but worth noting)

See the DAST CI/CD audit for additional insights into DAST

Edited Nov 05, 2021 by Michael Fangman