Pipeline Security Group - JTBD

The jobs-to-be-done that the Pipeline Security Group is solving for.

Overview

The goal of this page is to create, share and iterate on the Jobs to be Done (JTBD) and their corresponding job statements for the Testing categories within the Verify Stage. Our goal is to utilize the JTBD framework to better understand our buyers’ and users’ needs.

Goals

Utilize JTBD and job statements to:

  • Understand our users’ motivations.
  • Validate identified use cases and solutions.
  • Continuously test and iterate features to ensure we are meeting our customers’ needs.
  • Create a transparent view for our stakeholders into the current and future state of the product.

Jobs To Be Done

Store, update, and access non-sensitive data for development environment use.

When running repetitive tasks, I want to store the values that requires to input each time so I don’t have to remember and manually input them each time.

Micro Job Job statement Maturity Confidence Source
When feeding in reusable values to a development environment, I want to have control over those values so they could not be accessed by other environments and result in a security concern. Grade -
When architecting automated task configuration in order to perform complex operations without scripting those tasks each time, I want to be able to define the reusable values so that they are dynamically inherited across all hierarchies of the tasks across repositories for a seamless experience. Grade -

Integrate with existing credential management solutions

When handling sensitive credentials, I want to have the liberty and flexibility to use a tool of my choice so I do not have to reconfigure my system architecture.

Micro Job Job statement Maturity Confidence Source

Securely manage sensitive credentials

When I am deploying changes to environments outside of GitLab I want to easily authenticate and pass the appropriate credentials between GitLab and the other environment without exposing the credential so I can deploy my changes to production quickly and securely.

Micro Job Job statement Maturity Confidence Source
When I am working with tokens or passwords I want to keep those sensitive credentials private and avoid revealing the values in an audit log or to other developers so I can maintain security best practices and avoid a breach of data. Grade - Researched Issue
When I am enforcing compliance standards for the handling of sensitive credentials I want to be able to set automated value/credential rotation so I can avoid disrupting developers workflows and/or being in breach of compliance. Grade - Researched Issue
When I am enforcing compliance standards for the handling of secrets I want to set the appropriate access policies and permissions to ensure only the authorized users and services have the correct level of access to sensitive credentials. Grade - Researched Issue

Easily access sensitive credentials for quick deployment to production.

When I am using sensitive credentials for automated tasks, I want to be able to access those credentials easily and from a single place so I can deploy my changes to production quickly.

Micro Job Job statement Maturity Confidence Source
When I am accessing a system to deploy my change to an environment I want to be able to do so without leaving my CLI to log in so I can deploy my changes to production quickly. Grade -

Demonstrate compliance

When reporting on our security practices I want to have easy access to an audit of the secrets access and management activity in order to demonstrate security compliance.

Micro Job Job statement Maturity Confidence Source

Use Artifacts to debug pipeline failures

When new or existing jobs are failing, I want to be able to easily trace the failures back to code, so that I can fix them quickly and get back to pushing features into production.

Micro Job Job statement Maturity Confidence Source