Hyun

My work and me

About Me

Hello, my name is Hyun — I am a designer and technologist creating symbiotic relationships between information and people. I am currently working with researchers, engineers and designers at IBM Research in Yorktown Heights, New York.
If you have any questions or have something in mind for discussion, please don't hesitate to contact me.

Commercial

Community

Recreational

Legacy

IBM AppScan Enterprise

IBM AppScan Enterprise

2013-14 — Commercial :: Technologist and User Experience Designer working at IBM

Teaser image for the AppScan Enterprise project.

SYNOPSIS: IBM AppScan Enterprise's goal is to enable security analysts in large companies/enterprises to manage the sheer volume of security vulnerabilities that exist within the development and upkeep cycles of software.

Major Skills Applied

  • Visual Design
  • User Experience
  • Front-end Development
  • Ad hoc Technology Interpreter

All projects at IBM Design are worked on and produced in teams. My specific contributions for AppScan Enterprise were on visual design, technology research, future envisioneering designs, and applying previously gathered design patterns, research, and technologies to the project.

Problem

"We had to make our own PHP Application to do the job to minimum spec."
—Security Analyst, Fortune 500 Company

100,000 is the average number of security vulnerabilities that security analysts had to deal with per enterprise level application. This number is multiplied by as much as ten to twenty times the amount of vulnerabilities for a Chief Information Security Officer to deal with when overseeing applications and other security related activities within the company. The old AppScan Enterprise was a tool with an outdated interface that did not conform with users' work-flow. The technology of AppScan Enterprise required multiple seconds of waiting time for even the simplest of commands and events. As one of the first products to tackle at IBM Design, it was the responsibility of the "Security" design team that I worked with to do what we could to alleviate the most important problems for the users of the product. Parallel with product development, we were constantly researching and imagining the future of application security for our users.

The personas below were crafted by the involved designers and researcher from banking and enterprise IT companies in North America and Western Europe. The data gathered to create these personas involved shadowing and interviewing current as well as prospective clients.

Designing a way to create multiple work surfaces as well as a reporting platform was the name of the game for AppScan Enterprise. The work surface needed to empower the security analyst in a way that they could get to the core problem in an application, prioritize it against other applications and distribute the issues to developers in charge. Current work-flow involved the analyst going through an excessive amount of vulnerabilities.

  1. 1. Scan Application
  2. 2. Configure and prepare to import the scan results
  3. 3. Import scan results
  4. 4. Triage the results and prioritize it. *This was an extremely tedious task because the UI did not differentiate the results enough
  5. 5. Manually bundle the issues
  6. 6. Find the developer in charge for the application
  7. 7. Send the bundle to the developer
  8. 8. The developer at this point would have to manage these issues manually, as AppScan Enterprise does not integrate with a bug tracking system

Within the limits of the design period, the design team organically focused on the experience, visual delivery, and improvement of the technical foundation in the original code base. We designed around organizing, prioritizing and viewing the security vulnerabilities at multiple levels; including the company/portfolio, business unit, and application levels. Among the drafts of the design, contextual inquiries and other user research data showed that the most time spent on AppScan Enterprise, as well as other efforts to create custom scripts around the product, was when the issues needed to be triaged by the analyst. From the as-is user flow, #1-#7 have been largely improved.

Process

GROWING PAINS : This was the first project during my time at IBM Design. Fresh out of school with only three months of training, I was immersed quickly into the immensely complex space of cybersecurity for one of the largest software companies. Almost immediately I noticed that both the front and back-end code base was outdated, and the willingness of developers to learn new code was reluctant at best. Internal political struggles were plentiful with IBM Design, as the organization was one of the newest at the company. Despite all the hardship given by the development and project management team, and perhaps due to the diligent work of an extremely competent manager, the design team was able to produce high fidelity collateral (such as interactive prototypes backed with user research). This later had very positive reception and produced a goodoutcome from the AppScan Enterprise team.
Legacy software was one of the biggest inhibitors of the designs being executed correctly. The UI code was basically created using a toolkit using the Dojo framework. While Dojo is actually quite useful and fast when used correctly, elegant execution was the missing piece in the development process. The poor HTML Structure, lack of software accessibility, and proper CSS integration was very hard to deal with. The design team had to focus on creating a design "patch" that was delivered to the development team and bandaged before release. As this was one of the first commerical products taken by IBM Design, there were some shortcomings in the team's role distribution. Along with being a user experience designer, I had to tackle the technology aspect and role of front-end developer.

  1. Liz, Design Lead :: UX and Visual
  2. Elizabeth, UX and Visual Designer
  3. Patrick, UX Designer and User Researcher
  4. Hyun, UX Designer, Technologist and Front-end Developer
  5. Development Team (10+ Canada)
  6. Product Management (1 USA, 1 Canada)

Being a developer and understanding security related code problems allowed me to understand the technology relatively well. Paired with the research material gathered from users, several patent pending technology and design ideas were born from this project. All of the new ideas were aimed to improve the security analyst's ability to consolidate, and mitigate security vulnerability issues. Such as reducing steps on the to-be designs, as well as proposing new methods to surface additional valuable data that is missing from the existing offering. Later on the project, I also gave hand on production code because the existing developers were not versed in modern front-end web stacks.

Aftermath

RESULTS AppScan Enterprise served many times as a case study for design teams across IBM Design on how to and how not to collaborate with developers. It proved as the example for further planing and execution of designs. One of the most constructive results of AppScan Enterprise was that many products (especially in the IBM Security division) are shifting away from Dojo and into newer technologies like Angular, jQuery, Node, and NoSQL. Another positive outcome, was that the "new" design team gained a fair amount of respect among developers and executives. Such can be seen in another IBM product I contributed to: X-Force Exchange, which uses state-of-the-art technologies with an impressive architecture that is specifically designed for the cloud.

Final Product

Screenshot of a vulnerabilities list in an application added by the security analyst ordered by risk.
Screenshot of a vulnerabilities list in an application added by the security analyst ordered by risk.
Screenshot of a vulnerabilities list in an application added by the security analyst viewed by "new" issues.
Screenshot of a vulnerabilities list in an application added by the security analyst viewed by "new" issues.