Sonatype
Enhancing Repository Firewall for Developer Empathy
Company
Sonatype
Role
Product Designer
Industries
DevSecOps
Year
2024
Company & Product Background
What is Sonatype?
What is Repository Firewall?
Repository Firewall is a Sonatype product that acts as a first line of defense, using AI/ML to analyze open-source components and block the download of malicious packages or components that violate a company's security policies.
How might we improve the Firewall quarantine experience to work with, rather than against, the developer workflow- empowering developers to maintain both code quality and efficiency?
Goal
Enhance the Repository Firewall experience to seamlessly integrate security measures into developers' workflows- minimizing friction, maintaining efficiency, and ensuring code quality without compromising protection.
Problem
Developers often feel that security was actively hindering their ability to do their jobs effectively.
Although the Firewall is typically purchased and managed by administrators and security teams, developers are the ones most directly impacted by its functionality. The product's design, language, and metrics often cater to the security persona, overlooking the specific needs of developers.
Advocating for the Developer
The first phase was all about understanding the developer perspective. I started by reviewing the existing developer persona in our database, providing a foundational understanding of their needs and motivations. Then, I went straight to the source.
Joshua
Software Developer
“Development is more than writing code, it’s also understanding complex problem spaces, and being able to formulate solutions to solve problems in an efficient and effective manner.”
Goals
Sprint Delivery: I need to know what work I am expected to complete during my sprints so I can deliver on my deadline.
Build Software Efficiently: I want the shortest path to meeting my assignments.
Keeping Up With Useful Knowledge: With rapidly changing technology, I want to stay up to date with evolving software engineering skills. I learn from the internet and those working in my field around me.
Expectations
Keep software running smoothly by introducing as few bugs as possible
If my managers want me delivering on time, they should be removing blockers - like other departments or a lack of component choices
Nice to have: Documentation must be adequately logged to ensure searching and accessing that information is convenient.
Pains
People moving too slowly is annoying to him. He needs people and tools to either keep up or get out of his way.
Not having enough time to complete tasks and sacrificing code quality
His organization has an unnecessarily high amount of tool sprawl, which is a lot to keep up with
The perpetual challenge of context switching throughout his day requires a lot of energy
Metrics
Velocity: How much can I get done in one sprint - sometimes measured by “story points”
Cycle time: How much time is spent working on a specific task
Code Execution: I want my code to execute 100% if the time and ensure I haven’t introduced any bugs
Code Churn: A measure of code quality - how often does a particular bit of code need to change?
I interviewed 3 Developers from our customer base to gain insights into their experiences with Firewall. While I would have liked to speak with more customers, I struggled to yield responses for external participation.
To supplement this feedback, I also interviewed internal experts with developer or customer success backgrounds.
Synthesizing Feedback Into Key Themes
Using Dovetail, I meticulously categorized the feedback from these interviews into Pain Points, Delighters, Feature Requests, Observations, and Key Quotes. This allowed me to synthesize the key takeaways from each interview and identify recurring themes, revealing the most pressing issues and areas for improvement.
Lacking component insights- last download, who and where are components being used, etc. to better understand impact.
Developer
Customer Interview
More information that's available in the rest of the product suite should be surfaced in Firewall.
Developer
Customer Interview
Developers aren't given direction or feedback on where to go next, this investigation work is given to DevOps.
Engineer
Internal Interview
Firewall should make it clear what the best path forward should be when it comes to remediation.
Developer
Customer Interview
There is a lot of time spent trying to assess business risk with limited feedback for why things are blocked.
DevOps
Customer Interview
Existing features in Firewall aren't sufficient to helping devs choose the best version upgrades which results in wasted upgrades.
Developer
Customer Interview
Prioritizing For Impact
Working closely with the Product Manager and Tech Lead, we mapped these key takeaways onto an Impact/Effort matrix. This collaborative exercise helped us prioritize focus areas and define user stories for this initiative, ensuring we focused our limited resources on the improvements that would have the biggest impact.
Given limited engineering capacity, we opted for a smaller-scale, targeted UX enhancement for this initial milestone. We focused specifically on the information presented in the Quarantine Component View – the primary page developers access for details about quarantined components. This allowed us to address the most critical pain points quickly and efficiently.
Information Hierarchy
Evaluating highly requested information and making it easily accessible.
Focus On Remediation
Provide Developers with a clear and easy path forward.
Empowerment
Ensuring Developers can access necessary information without relying on DevOps,
Final Solution
Quarantined Component View: Developer's Guide to Next Steps
Providing more context and visibility for Developers to assess the impact of quarantined components and make informed decisions about how to proceed- leading to faster resolution times for security issues and a smoother, more collaborative development process.
Additional Component Insights
Timestamps for component requests, quarantines, evaluations to track component usage.
Improved Information Hierarchy
Surfacing highly requested information- such as Highest Policy Threat, at the top of component comparison table.
Highlight Recommended Path
Show top remediation recommendation first so Developers can spend less time assessing options.
Safe Component Recommendations
Provide other versions that are already being used in the organization.