#### What did we learn? <!-- Add information for this section after the research is complete. --> | Results | | ------ | | `2-3 sentences to summarize the results` | | `Link to Dovetail project` | --- #### What's this issue all about? (Background and context) We have a few outstanding questions for security engineers we could use some feedback on, and a survey is a fast and easy way to collect this feedback. At the end of the survey, we'd also like to ask if they're interested in providing ongoing feedback on upcoming Secure features at GitLab, and if so, how (e.g. synchronous calls, Slack channel, surveys via email). This will allow us more ways of getting quick feedback (both problem and solution validation) without always having to schedule formal research (which can be time- and resource- consuming). #### What are the overarching goals for the research? - Identify most common filter queries - Identify most helpful way to drill into identifier and location for filtering and grouping - Learn about how the security tab of the pipeline page is currently used and identify things that are working vs things that are not) - Identify preferred default filters (e.g. should the activity filter default to "still detected"?). This will become redundant when we have [customizable saved views](https://gitlab.com/gitlab-org/gitlab/-/issues/267572) and [Auto-resolve vulnerabilities when no longer detected](https://gitlab.com/gitlab-org/gitlab/-/issues/233846). #### What hypotheses and/or assumptions do you have? - We'll need to offer some kind of subfilters/ subgrouping for location and grouping, and doing so will enable us to offer a lot of value to a sec engineer's workflow - Users will ask for functionality on the security tab of the pipeline page similar to that of the Vulnerability Report #### What research questions are you trying to answer? - **How should we handle [grouping by Identifier and Location](https://gitlab.com/gitlab-org/gitlab/-/issues/267588/designs/design_1657122713305.png#note_1023712182)?** - For location, Matt and I discussed maybe a subfilter to scope to either directory or file. Or, if the tool is scoped to Container Scanning (only), we can also show grouping by Location > Container image. (For the latter, how might we surface this functionality?) - For identifier, we discussed a subfilter for "Primary", "Any", "CWE- most specific", and "CWE - least specific"; referring to the chart on the CVE.mitre.org website [here](https://cwe.mitre.org/data/pdf/1000_abstraction_colors.pdf). - Would these be helpful or something else? - **How do they use the security tab in the pipeline page?** - Related issue: [User research: Vulnerability management in the pipeline security tab](https://gitlab.com/gitlab-org/gitlab/-/issues/366463) - ~~What are the most desired and most realistic combination of filter queries?~~ - ~~We'll use the response to build out 2 or 3 of the most complex responses for the filter prototypes for usability testing. This would let us provide a lot more guidance—and guardrails—to the FE team if we do ask them to help mock up an interactive prototype, and may lead to not even needing their help (if the queries are simple enough to mock up with a design prototype).~~ - TBD #### What persona, persona segment, or customer type experiences the problem most acutely? Security engineers and developers who engage in appsec tasks #### What business decisions will be made based on this information? UX/ UI decisions in the product #### What, if any, relevant prior research already exists? [Research insights: Vulnerability Report features](https://dovetailapp.com/projects/T0M0OrFCUjhxzoBFPLiMh/v/4FXR1mxEkUZ7fq7Tj1nxaU/present) #### What timescales do you have in mind for the research? Send out and collect responses in %"15.4" #### Who will be leading the research? Becka Lippert (Sr Product Designer, Threat Insights) #### Relevant links (opportunity canvas, discussion guide, notes, etc.) [Design: Advanced filtering & search on the Vulnerability Report](https://gitlab.com/gitlab-org/gitlab/-/issues/342079) [Design: Vulnerability Groups](https://gitlab.com/gitlab-org/gitlab/-/issues/267588/) [Problem validation: Vulnerability management in the pipeline security tab](uhttps://gitlab.com/gitlab-org/gitlab/-/issues/366463