UX Audit: DAST on-demand configuration UI
⚡ ️ Summary
As part of Secure: Scan Configuration Evaluation, we are performing an audit of the states and UI patterns for every security scanner with a configuration interface. The goal of the audit is to identify patterns and inconsistencies and create recommendations focused on improving consistency and learnability between the scanners. This issue is to track and document findings for DAST on-demand configuration.
The parent issue that documents all scanners being audited is linked below:
📋 Plan
-
Identify relevant JTBD -
Evaluate the configuration process and document existing workflows (user flows) -
Capture screenshots of the configuration interface including all possible states -
Review any new or upcoming configuration changes for on-demand DAST scans and note anything that deviates from the audit findings and/or adjust findings accordingly -
Document findings in an easy to digest way
💼 JTBD
- When I am configuring a security scan outside of CI/CD, I want to specify which assets need to be scanned and under which circumstances, So that I can ensure my assets are secure in production.
- When I am configuring a security scan, I want to specify which types of vulnerabilities the scan should detect, So that we don't waste time sorting through irrelevant findings.
- When I am configuring a security scan, I want to specify which types of vulnerabilities the scan should detect, So that we don't waste time sorting through irrelevant findings.
📷 Screenshots
See design section below
🚶 Workflow
📄 Relevant issues
On-demand
- Allow saving On-demand Scans with "active scan" & "unvalidated site" config
- deleting DAST site/scanner profiles being used in a DAST scan
- Review behavior of scheduled DAST Scan for removed user
- Generate DAST CI snippet from saved scan
General DAST
- Show better error descriptions
- Authenticate before running full DAST scan
- Profiles
-
"Multi-page" option to Site profile authentication (design complete, implementation planned)
👈 notable design changes - "Submit button identifier" option to the Site profile authentication(design complete, implementation planned)
- DAST Site profile: Header addition redesign (design complete)
- Reorganize scanner & site profile library (design proposed)
- Allow user to validate site profile from
New on-demand DAST scan
page - Filter scanner/site profiles
- Restrict specific profile features to certain access levels
- Add additional customization options for scanner and site profiles
-
"Multi-page" option to Site profile authentication (design complete, implementation planned)
💡 Findings
Does the DAST on-demand configuration UI address the JTBD?
1 of 3 JTBD can be addressed using the DAST on-demand configuration UI
-
✓
JTBD 1 is addressed with DASTSite profiles
-
𐄂
JTBD 2 is partly addressed with DASTScanner profiles
, but doesn't provide users with much granularity. Users can only choose between anactive
orpassive
scan. Currently, DAST rules must be configured using CI/CD variables within the.gitlab-ci.yml
file. CI/CD Variables are not relevant to on-demand scans -
𐄂
JTBD 3 is not directly addressed within the DAST configuration flow. There is no way to run a "demo" scan to validate the configuration from the UI.
Findings unique to DAST on-demand
- On-demand scans differ from other scanners because they can be run immediately (after configured) or scheduled for a later date
- On-demand scans have a different primary entry point than the other security scanners.
- Entry point path:
Security & Compliance
→On-demand Scans
[→New DAST scan
] - Users can still navigate to the on-demand DAST scan creation UI from the
Security & Compliance
→Configuration
page, but the flow requires a few additional steps.- Path is as follows:
Security & Compliance
→Configuration
→Manage [DAST] scans
→New DAST scan
- Path is as follows:
- Entry point path:
- The configuration process is closely tied to the DAST CI/CD config process, but requires additional input including a scan
name
,description (optional)
,branch
, andschedule (optional)
- On-demand scans can be saved for reuse (currently there is no option to run a scan without saving it)
- Profiles are shared with DAST CI/CD scans (Not really "unique" but worth noting)
DAST CI/CD audit for additional insights into DAST
See theEdited by Michael Fangman