🎨 Design: DAST CI/CD Configuration Improvements

Problem to solve

After completing some recent research initiatives we've learned that there are a few notable pain points throughout the DAST configuration UI. In preparation for DAST to reach Complete maturity by the end of FY23-Q1, we'd like to address some of those problematic areas. This issue will focus on addressing the following:

1. Portions of the configuration UI are not clear or easy to understand.
2. The current workflow to enable DAST requires users to navigate through several sections of the application. Jumping to different sections can be confusing and is inefficient.

Note: This issue is for the CI/CD configuration UI only.
On-demand configuration updates can be found: #351476 (closed)

👉 Redesign scope guidelines

Plan details

User experience goals

1. Improve learnability by adding better explanations of the concepts and available options
2. Rework the configuration workflow to minimize context switching
3. Restructure the DAST configuration areas (CI/CD, On-demand, Manage DAST scans) to improve the relationship between CI/CD & On-demand configuration.

Intended users

1. Sasha (Software Developer)
2. Sam (Security Analyst)

JTBD

1. When I am configuring a CI/CD security scan, I want to specify which assets need to be scanned and under which circumstances, So that I can ensure my assets are secure prior to or at their release.
2. When I am configuring a security scan, I want to specify which types of vulnerabilities the scan should detect, So that we don't waste time sorting through irrelevant findings.
3. When I am either enabling or configuring a security scan, I want to run a demo scan, So that I can validate my configuration before it is implemented

Additional information

1. DAST API has been combined with API fuzzing to create the API Security category. Should the DAST configuration workflow seperate website vs API scans? Does this impact profiles?
2. DAST and fuzzing share the concept of "profiles". We should explore how to unify the concept going forward.
3. More to be added...

Related Research & Recommendations

• DAST CMS - Viable
  • Recommendation - Iterate on the configuration UI to add better explanations of the concepts and available options
  • Recommendation - Refine the DAST documentation to make the basic configuration requirements easier to find and follow
• UX Audit: DAST CI/CD configuration UI
• UX Audit: DAST on-demand configuration UI
• UX Scorecard: Dynamic analysis configuration

Proposal

• 🎥 Walkthrough video
• 🕹 Design prototype
• 🎨 Figma design file

UX groupdynamic analysis Category:DAST ~design devopssecure sectionsec