Redesign of Vulnerabilities feature

Threat Stack’s CVE (Common Vulnerabilities and Exposures) assessment and reporting tool

Overview

Threat Stack was a cloud security startup, helping companies to proactively detect risks, vulnerabilities, and threats across cloud workloads. Vulnerabilities (also referred to as CVEs - Common Vulnerabilities and Exposures) was one of the features of the Threat Stack application. This feature showed users if they had any known vulnerabilities in any of the packages installed on their virtual servers. If there were fixes available for any of the vulnerabilities, the user could take steps to remediate the vulnerabilities.

Goals

  1. Make the Vulnerabilities feature more visible/easier to find within the Threat Stack application

  2. Make the Vulnerabilities data easier to filter to more easily find the most pressing vulnerabilities on which to take action

Users

The target users of this feature of the application were security teams (SecOps) and DevOps who use it to identify, prioritize and remediates CVEs (Common Vulnerabilities and Exposures) across cloud workflows. They need continuous monitoring for compliance and threat management, and use this feature to ensure that vulnerable systems are patched quickly without interruption to deployments.

Project Details

My Role: Lead UX Designer

Project Duration: ~3 months

Team: I collaborated closely with the Product Manager on the requirements. I consulted with another UX designer and UX researcher, who had already done initial user research on this feature before I came on board.

Methodologies: Discovery research, wireframing, prototyping, design iteration

Tools: Sketch, Invision

Industry: Cloud security

Impact

I delivered a fully conceptualized design for improving how users manage vulnerabilities. My proposal included a more intuitive navigation structure, reorganized data presentation around CVEs to align with real user workflows, and introduced persistent filtering for easier vulnerability tracking and prioritization.

Original design

Vulnerabilities feature is hidden within Servers tab and does not have its own tab on left-hand toolbar

This is the original Vulnerabilities feature, prior to the redesign. 

The Vulnerabilities feature is hidden within the Servers tab on the left-hand toolbar. If the user is on another tab, there is no way to see that this feature is available, or access it in one click.

Vulnerabilities, also called CVEs (Common Vulnerabilities and Exposures) are organized by package, but users said it would be more useful if this table was organized by CVE.

Capability to filter Vulnerabilities by different attributes is not always available

If the user wishes to filter the table by a particular attribute, the filtering capability is in a pane on the right-hand side that opens and closes, and therefore is not visible at all times.

Redesigned screens address issues with the original design

The screens shown here are the proposed redesign of the Vulnerabilities feature. The redesign gives the Vulnerabilities feature a spot on the left-hand toolbar (where it is called “Vulns” for short), making it a more prominent feature of the application, and not hidden within the Servers tab.

The redesigned table is grouped by CVE ID rather than by package, which is a better representation of how users think about Vulnerabilities. One CVE ID can have several different severities, depending upon the operating system (OS), and the redesign better reflects this.

I rethought the filtering functionality: drop-down menus of the attributes by which the user can filter are shown right above the Vulnerabilities table, and are always visible and available, rather than sometimes being hidden in a side panel. The currently applied filters are always shown above the table as well.

I created a clickable prototype of the filtering functionality in action to demonstrate how it would work, and to show that it was possible to filter on multiple attributes at once.

Reflection and future direction

Although the Threat Stack Vulnerabilities redesign was put on hold due to a shift in priorities, and not implemented while I was at the company, I had delivered a fully conceptualized and validated design direction. I created a more intuitive and discoverable navigation structure, reorganized the presentation of data around CVEs to better align with user workflows, and introduced persistent filtering for easier vulnerability management.

The redesigned feature was ready for usability testing with cloud security professionals and positioned to significantly improve feature visibility, efficiency, and overall user experience.

If the project had continued, I would have proceeded iteratively, tweaking the redesign based upon what I learned from usability studies, and engaging with the engineering team early on to gather and incorporate their input in terms of technical challenges of implementing the design. I also would have ensured that the design accounted for any edge cases.