FY22-Q4 UX KR: Define and validate JTBD for FY22-Q1 DAST CMS
What’s this issue all about?
By the end of FY23-Q1 DAST is planned to reach complete maturity.
Step 0 of the Category Maturity Scorecard process states that there must a defined and confident JTBD(s) to judge the quality of experiences against. This issue is focused on defining and validating 1-2 high-priority job statements to properly prepare for the upcoming Q1 CMS evaluation.
From gitlab-com/www-gitlab-com#12492 (closed)
Who is the target user of the feature?
-
Primary users: Sam (Security Analyst)
- Secondary users: Shasa (Software Developer)
What questions are you trying to answer?
- Are there 1-2 high-priority job statements defined on the Secure & Protect JTBD page that are relevant to DAST's feature set?
- If not, what needs to be done to define relevant job statements?
- Do we have a high level of confidence in the identified job statements?
- What existing research or work has been done to support the confidence level?
- Are there any upcoming initiatives that will impact the confidence level of the job statement?
- Does additional research need to be conducted to increase confidence in the identified JTBD?
What decisions will you make based on the research findings?
- We will decide which JTBD statements should be used for the upcoming DAST CMS study
✨ The Results
The 2 JTBDs that will be used for the upcoming DAST CMS are listed below along with some additional detail about the level of confidence and the related research. The findings indicate that there is a high level of confidence in both of the selected JTBD. No additional research should be needed prior to the Q1 DAST CMS evaluation.
_
Both job statements were utilized for the DAST to Viable CMS and represent foundational needs for the application security testing category.
JTBD 1:
When I am ready to release changes into production, I want to verify it is safe to release, So that I can release the changes responsibly.
This job statement has already been tested and was given a maturity grade of A
. The supporting research doesn't explicitly validate this JTBD but there is high confidence that this job is valid.
JTBD 2
When I am assessing the security of my application in production, I want to know whether my app is currently vulnerable, So that I can address detected business-critical vulnerabilities
This job statement has been researched, but the insights from that research have not yet been documented (The the PM and UXR have been pinged to discuss completing the insights). Nevertheless, there is evidence in that research to support the need of manually scanning a production environment for vulnerabilities.
It's also worth noting that addressing this JTBD is stated as a key goal on the DAST category direction page. It states: We also want to ensure that the production environment is always secure by allowing users to run an on-demand DAST scan on a deployed app even if there is no change in the code.