Validate idea of Security Code Reviews

Validate assumptions around the security code review process.

What is the current code review process for security engineers and developers who are dealing with vulnerabilities

A security-specific code review is necessary to reduce the risk of weaknesses and threats being introduced into the project.
A triage process in the MR is desirable for security reviewers.
The flow prescribed works in real-world applications where vulnerability counts and type can vary.
The language and terms used in these two areas are common to the industry and are carefully considered across multiple areas of the application for a cohesive experience.

IF the general idea is valid work toward a Product discovery will be initiated.

Insights from the research will be baked into the Product discovery work.

Validate or dismiss assumptions: Conduct (3-5) contextual inquiry interviews and lite usability testing with the application security team at GitLab focusing on code reviews and their triage process. Assumptions will be validated here.
Analyze and make a decision on next steps:

Iterate and Refine: Make changes to the design based on the findings of the study or...
Pivot: to another area of opportunity regarding code review and triage if the research is pointing that way. If it is not then we can conclude that the first assumption is wrong and we need to bail.

Validate usability: Conduct a short validation usability study in UsabilityHub with the GitLab audience as well as internal GitLab users. (new issue will be created)
Finalize: Refine the designs with findings from the study, create an MVC and follow-up issues as required. (Product discovery issue)

ASAP. Aiming at an early August date to initiate research.

Create test plan
Draft script
Create study materials
- Wires for usability test created with an accessible link

Participant	Day/Time (UTC)	Lead	Note taker	Link to recording

Edited Jul 13, 2020 by Thiago Figueiró