🎨 Design: DAST CI/CD Configuration Improvements
Problem to solve
After completing some recent research initiatives we've learned that there are a few notable pain points throughout the DAST configuration UI. In preparation for DAST to reach Complete maturity by the end of FY23-Q1, we'd like to address some of those problematic areas. This issue will focus on addressing the following:
- Portions of the configuration UI are not clear or easy to understand.
- The current workflow to enable DAST requires users to navigate through several sections of the application. Jumping to different sections can be confusing and is inefficient.
Note: This issue is for the CI/CD configuration UI only.
On-demand configuration updates can be found: #351476 (closed)
Plan details
User experience goals
- Improve learnability by adding better explanations of the concepts and available options
- Rework the configuration workflow to minimize context switching
- Restructure the DAST configuration areas (CI/CD, On-demand, Manage DAST scans) to improve the relationship between CI/CD & On-demand configuration.
Intended users
JTBD
- When I am configuring a CI/CD security scan, I want to specify which assets need to be scanned and under which circumstances, So that I can ensure my assets are secure prior to or at their release.
- When I am configuring a security scan, I want to specify which types of vulnerabilities the scan should detect, So that we don't waste time sorting through irrelevant findings.
- When I am either enabling or configuring a security scan, I want to run a demo scan, So that I can validate my configuration before it is implemented
Additional information
- DAST API has been combined with API fuzzing to create the API Security category. Should the DAST configuration workflow seperate website vs API scans? Does this impact profiles?
- DAST and fuzzing share the concept of "profiles". We should explore how to unify the concept going forward.
- More to be added...
Related Research & Recommendations
- DAST CMS - Viable
- UX Audit: DAST CI/CD configuration UI
- UX Audit: DAST on-demand configuration UI
- UX Scorecard: Dynamic analysis configuration
Proposal
UX groupdynamic analysis Category:DAST ~design devopssecure sectionsec
Edited by Michael Fangman