Fossa

Issues Upgrade

FOSSA is an SCA (software composition analysis) platform that scans customer software to find instances of borrowed code (open source packages), identify security vulnerabilities or licensing issues resulting from those packages, and removing them before their code is pushed to a live product. A key product value is identifying issues and providing issue remediation options and support for our customers.

Situation

Data insights showed less than 5% engagement with Fossa’s issue remediation feature by key enterprise accounts. This was a clear signal to our sales and product teams that the issue workflow was broken and that these customer accounts were at risk for churning in approaching quarters.

Task

Evaluate, understand, and redesign the Issue workflow with a focus on increased engagement, intuitive workflows, and measurable outcomes for our users on a time scale of weeks, not quarters.

This will position us to have clear value for both users and buyers well before contract renewal, which will help us avoid churn.

Action

Collaborate between design, product, and engineering teams as well as key accounts and subject matter experts.

Distill these learnings into experience solutions that manage large issues counts, clarify issue context, streamline user communications and actions, and resolve or decrease total issue counts.

Handoff right-sized designs and support engineering through the build process and measure outcomes with customers once launched.

Result

Qualitative customer feedback was very positive, we achieved an 8.7% decrease in security issue counts, and 23.7% engagement with new issue filtering component.

Research

Kickoff

Key progress indicators that guided our design efforts:

+100% engagement with issue actions (resolve, export)

20% of issue page visitors engage with issue filters (new feature)

-10% issue active issue count on new code revisions (demonstrates new issue system is decreasing issue counts overall)

-50% churn associated with issue resolution (need strong collaboration with sales and account reps)

Early Insights

  • Lots and lots of data in a single view (where do I start?)

  • Relationships are hard to understand: issue, dependency, license, file, vulnerability

  • Scary Resolve button (what does it do?)

  • “Sea of red”

  • Good context with verbatim text and dependency remediation

Discovery

  • Interviewed post-sales (customer success and support) and product managers (weekly customer calls) to extract major themes

  • Reviewed internal tools (Gong, fullstory, Zendesk) discussions associated with issues

  • Researched competitors for patterns in issues

  • Mapped customer journey with design and product to highlight critical moments and pain points for users

Reframing the Problem

Only some issues matter

Open source software posture and protocol vary by customer and use case across issues and the policies that generate them.

ford does not equal uber

Resolve action is too broad

Users need to manage issues based on a variety of use cases: zero day event, high severity + actionable, false positive, low severity, no fix.

Issue discovery and removal are done by different users

“Finders” (Lawyers, Security Developers) need to interact with “Fixers” (Software Developers).

team sport

Enterprise use cases need support

Large orgs + lots of issue = load and management problems.

Redesign

Separate issue list and detail into separate views to optimize the workflow

Research takeaway

Issue Inbox

We used an email inbox mental model to discover, prioritize, and organize issues for our “finder” personas

Show more
Highlight the appropriate data to communicate an issue’s shape and relevance with optimized issue rows and data table.

Control more
Bring unmanageable issue counts to a prioritized and actionable list with filters.

Do more
Organize issues based on you and your team’s needs and workflows with contextual actions.

Actions are a team sport

Collaboration between “finder” (lawyer/security) and “doer” (developer) gets better with optimized views for their part of the process.

Issue Details

Highlight critical data, provide immediate actions, and provide a data deep dive for our “fixer” persona

Prioritized and organization
All high-level, critical data is immediately available on the overview tab, with additional data context, relationships, and references close by.

Package details
View package-related data and relationships to understand this issue’s origin.

Smart suggestions
Take immediate action and understand the context of those actions.

Organizing content

Reducing visual noise while organizing and prioritizing data by personas.

Left: vulnerability base metrics help developers determine if they’re code is vulnerable

Right: affected project list helps lawyers and security devs know the affect of the issue and if more teams/devs need to be contacted

Product design process: Ignore action

Ignore issue action button and dropdown menu

Problem
Too many issues cause decision paralysis.

Goal
Provide issue management tools to organize issues by user need and bring down their issue count.

Research
Data: less than 0.36% engagement with resolve action during the issue workflow.

Customer interviews: Security Developers (persona: devsec) say not all issues are actionable:

  • No current fix.

  • Dependency's depth doesn’t allow easy access.

  • No available resources to invest.

Competitive analysis: other tools like Snyk provide more flexibility and granularity to address this grey area of the workflow.

Hypothesis
If we provide additional actions that address a “pause” in workflow, which can be triggered by external events (fix published in NIST, new code revision) or user determined time interval, than users can manage non-actionable issues and decrease their overall active issue count.

Opportunity
Create an Ignore action with more user defined flexibility for timing, availability of a fix, new revision, or escalation of severity.

Outcome
Still building, pushed 1 quarter.

  • Note: this could have an outsized benefit for customers and may have been a better tradeoff functionality versus a full redesign.

Launch & Impact

  • Qualitative: customer feedback was very positive

  • -8.7% on active security issues

  • 23.7% engagement with new issue filtering component