Driving continuous improvements in security risk visibility
about
Before I joined Border, my team was tasked with redesigning Viasat’s Security Scorecard. Since then, I’ve worked with our UX researcher to continue to refine the app. In late 2023, we helped to improve visibility into product scoring and more critical vulnerabilities — aligning with an updated scoring algorithm.
my role
Worked with stakeholders to discover their goals and needs
Learned about pain points and helped prioritize those into needs
Designed concepts and hi-fidelity screens for roadmapped features
Enhanced the visibility of Scorecard’s main view and product details pages
agency
Border
Timeline
Nov, 2023 — Mar, 2024
Team
UX: Joel, Myself
Dev: Adrian, Roy, Matt
Overview
Viasat’s Security Scorecard is a tool that helps identify and manage security vulnerabilities in Viasat software products.
Viasat is a global communications company, providing satellite broadband services and secure networking systems for the military and commercial markets. As a long term client of Border, we continue to support Viasat’s Security Engineering team and their product. In late 2023, we collaborated with their team to enhance visibility into security scoring, critical vulnerabilities, and other risks — aligning these improvements with an updated scoring algorithm.
problem
The old scoring algorithm was confusing, and the UI buried vulnerabilities, slowing remediation efforts of more critical issues.
agile ux
We used an iterative approach — designing to 80%, releasing, and refining based on feedback.
This was a quick turn-around to improve the basic UI structure alongside the internal scoring algorithm updates. To ensure constant motion of the product, we address edge cases directly in the software whenever possible. By collaborating closely with developers and encouraging their input, we reduce the need for constant redesigns and keep the product moving forward efficiently.
assess
The prior UI buried vulnerabilities on product details pages, showing no emphasis of which ones to work on fixing next.
An example of the prior product details page UI. Displaying mock data.
In the old UI, product teams would have to scroll far to find impacting vulnerabilities, or findings.
We discovered the original scoring algorithm was confusing and penalized products instantly for discovering critical and high-severity findings.
The team learned there were camps of product owners and compliance stakeholders who loved the scoring and those who didn’t. This highlighted the need to balance business decisions with the scoring algorithm through subtle UI/UX improvements.
Echoed from product teams:
Unintended pressure
“I was always an A-class student. Seeing my score drop from a critical finding that just came in, makes me feel like I’m doing something wrong even though it’s out of my team’s control.”
Product owner
Scoring as a motivator
“The scoring helps gauge how well [my engineer team’s] remediation is underway. It's an indicator of a means to realize we should be doing more even if there’s in fact a lot to do.”
Security Engineer
We collaborated with stakeholders to help identify small wins that may lead to increased remediation times for product teams.
We suggested:
1. Updating the UI to bring more clarity
The previous UI made it difficult to see vulnerabilities, as they were buried within product details pages. We helped think of ways to emphasize critical and high-severity issues, making them more visible and actionable.
2. Creating communications
We identified that product owners and security champions lacked high-level overviews of important updates about their product. To address this, we proposed designing weekly summary emails to keep stakeholders informed and engaged.
3. Nudging users to ensure vulnerability detection
Without assets and scanners, a product can't detect vulnerabilities. For new products, we wanted to include banners, prompting users to add assets and complete setup for scanning.
The Security Engineering team proposed "grace periods" to provide leniency in remediation time.
This was a significant business decision that our UX team had to consider. The introduction of grace periods would extend the time allowed for remediation before a finding, or vulnerability, impacted a product’s score. This decision aimed to balance the needs of product owners and compliance stakeholders, who had differing opinions on the use of scores in the Scorecard.
finalized updates
See how many critical and high findings are affecting your products at a glance.
Product owners often manage multiple products simultaneously, making it difficult to track critical issues. We enhanced the Scorecard main view table to display the number of currently impacting critical and high findings, ensuring greater visibility. This allows owners and security champions to quickly assess risks without manually diving into each product.
Redesigning the product details page to bring more clarity to scoring and importance to findings.
We redesigned the product details page with a two-column layout to help security teams focus on key tasks. The left column highlights product information and scoring, while the right column prioritizes actionable sections to add assets, comply with FSPs and work on findings. Furthermore, we included clickable summary cards at the top of the page that may display the number of score-impacting critical and high findings.
Creating a separate "Findings in grace period" section for clearer distinction between actionable findings and those impacting the product score.
Separating the findings sections clarifies which need action and which affect the score. This also allows each table to show relevant data, like days remaining before impact.
For newly onboarded products, we implemented nudge banners to encourage users to add assets to start scanning for findings.
Delivering Weekly digest and Ad-hoc emails.
These communications currently help product owners keep track of score changes and new findings.
Takeaways
Clarity drives action.
Even subtle UI improvements can make a significant impact. By simplifying the interface and emphasizing critical information, we helped security teams quickly assess risks and take action.
Balancing business needs with usability
Design decisions must align with both user needs and business goals. Our updates struck a balance between compliance requirements and providing teams with the right level of control and visibility.