Early discussion on foundational research for Secure: focusing on developer engagement

As UX Researchers are now required to devote time to conducting foundational research, I have chatted with members of the Secure UX team and asked what research questions they would like to see addressed. Here are selected questions that were raised by the team, for which they would like to see research done:

  • How much effort do we need to devote to educating developers, to get them to shift left?
  • Should we provide training on how to shift left?
  • What is our 'foot in the door' to get developers to start using Secure features, and how can we then increase their adoption of other Secure features?
  • What is our onboarding experience like for Secure features?
  • How do we demonstrate the value of Ultimate?
  • How do we get buy-in from devs (the people in the trenches)?

These questions are mostly aimed at getting developers to engage more with, and appreciate the value of, Secure features. However it could be argued that a prerequisite for tackling onboarding and training developers is first figuring out what their organizations would appreciate seeing them do. In other words, understanding which metrics would be helpful and of interest for organizations as a way of measuring their own maturity, would allow us to later on know which specific behaviors we want to encourage in developers. The immediate question then changes from 'how do we get developers to use our Secure features', to 'How can we empower organizations to elevate and track their DevSecOps maturity'. Another way of asking the latter is: 'What are the organizational milestones comprising the shift left and what is their impact on stakeholders`.
Once we know what dev behavior organizations want to track, we can pick up the important questions we have around getting developers to behave in a more secure way with newly found focus.

This twofold need of both empowering orgs to track their progression as well as encouraging developers to act in a more secure fashion was wonderfully captured by @matt_wilson in this issue. In fact, the thoughts expressed in the above paragraph are merely my take on Matt's ideas (thank you Matt!).

Next steps are to discuss with @david whether this general research area is of interest, and if so, start to refine the scope and research questions.

cc:

Edited by Adam Smolinski