2023 – 2024 // Professional // Design, Computer Science, and Human-centered Design
An internal vulnerability dashboard aimed at empowering developers to understand, remediate, and remove vulnerabilities affecting their applications. The application ingests information from internal microservices and other security APIs, in order to consolidate all data in one place. Served as UX lead and engineer, interfacing with development teams to understand their needs and working with the team to update page layouts and functionality to ensure maximum usability.
– Objective –
Create an intuitive dashboard that allows for developers to see how to remediate affected applications as well as create a more fluid pipeline to root out false positives and create exceptions for exempt applications.
The service should allow developers to act on remediation suggestions from Snyk and GitHub Code Scanning, as well as contact risk teams to assist in flagging false positives for their applications.
Ultimate purpose of the application is to give more power to developers and reduce friction with current processes that don’t allow for proper actions or visibility on the developer’s part, creating a more proactive process.
– Approach –
Use human-centered design methodologies and design procedures to create a more impactful final product that fits the needs of the teams that will be interfacing with the service.
Understand and empathize with app development and risk teams to create a more effective process that uses language and steps that are familiar to both teams.
– Work Completed –
The first step was to understand the ask. One of the main obstacles during the development of Candy Mountain was the state of management and my team. Manulife had gone through many re-orgs and the overall state of the team was very turbulent. My goal was to develop a set of personas and use cases so that we can communicate the intentions of Candy Mountain very clearly to the ever changing leadership.
Since my team was mainly composed of associate-level engineers, myself included, we didn’t have an official product owner or project lead. With a lot of ambiguous project requirements and lack of official leadership, I contacted a few engineers to work through the target audience and created some personas to assist my team.
Personas / User-stories:
- App Developers (Developers, App Owners)
As an application developer, I need a real time representation of my application’s current vulnerability status and actions my team can take, so that I can ensure security compliance and overall application health. - Risk
As a risk champion, I need to assist teams with remediating vulnerabilities and accept incoming exceptions or false positives, in order to ensure the security of Manulife’s catalogue of applications - Release Management
As a release approver, I need to make sure an application’s compliance status is appropriate before it deploys to production, so that I can maintain the security health of Manulife’s CI/CD.
The next step was to understand the current process of remediating vulnerabilities, but there really wasn’t one. Most conversations would happen on an individual basis, and the risk team didn’t have the tools to contact individual app owners until it was too late, when an aging vulnerability became urgent. This lead to discontent between both parties and was incredibly inefficient. There were two topics frequently brought up in those conversations: “This vulnerability doesn’t seem applicable.” and “How do we fix it?”.
My team had a simple web app already created using a template from Atlantis. We used Go for our back end, Vue for our front-end, and MongoDB for our database. Since Atlantis had a repo on GitHub, I was able to pulled many assets to create a prototype for my team to reference and use to survey members of of our target personas.
The prototype’s goal was to create a reference point, that the team could reference during development after presenting I presented it to management. Over three weeks, I met with teams of developers and risk personnel to show them the prototype his was the most fun I had during the project, since I finally got to put my human-centered design skills to work. Below is the link to the prototype that I presented to management that helped us move on with development.
With the success of the prototype, my team continued worked on getting a base version of the service deployed. I helped where I could on the functionality of the service, but my main focus was on updating pages with styling that was consistent with the prototype. A member of my team would usually put together a very utilitarian webpage design, then I would follow up by updating their page following styling from the prototype. Below is one snapshot from development.
We continued development, until we created a successful MVP and worked to deploy it onto AKS. This took some time since our team was made up of associates and didn’t have a lead, but with the help of others at the company we we able to eventually deploy the dashboard for internal use.
– Retrospective –
I’m very proud of the work I was able to accomplish this project, especially since my team went through a lot of leadership changes (we worked on this project under 4 different managers). Our team was made up of a handful of associate full-stack engineers and even with the turbulent development circumstances we were able to get a dashboard deployed and are continuing to support it, even researching ways to integrate GitHub Copilot too.
This project has a negative side to it though. While my team was able to accomplish something that we were all proud of, it came at a cost. We worked under many managers and this project had a very turbulent development, I even worked after hours in order to make the prototype and pitch. The work environment wasn’t great, but I learned to trust and rely on my team to work through the management situation in order to make something that had an impact.
When we started this project we were on a team that had the resources and the support to give to us, and as we got shuffled around, that slowly faded. Through this project I’ve seen many team dynamics and working conditions. Even though I was able to support my team and work through it all, I’ve learned a lot about the work cultures that work best for me, and the types of leaders and co-workers that I value working with.
ALEX VERKEST 