Q002 — Barriers to OSS Security Scanning Adoption — Assessment¶
Contents¶
The primary barriers are: (1) lack of awareness of available security tools and features; (2) perception that security tooling is not necessary; (3) extreme false-positive rates of 60-91% out of the box creating alert fatigue; (4) supply chain mistrust and lack of automation. Direct empirical evidence for temporal 'security fatigue' (post-incident surges followed by reversal) was not found. Log4j data shows persistent vulnerable consumption declining slowly (from 30-35% to 13% over three years), consistent with gradual attention decay but not a clear surge-and-reversal cycle.
Evidence Synthesis¶
Evidence quality: Medium — One strong academic source (the maintainer security study) directly addresses barriers to security tooling adoption. The Pixee vendor blog provides useful data on false-positive rates but with high conflict of interest. The Sonatype Log4j data provides indirect evidence of adoption decay. No direct longitudinal study of post-incident security tooling adoption and decay was found.
Source agreement: Medium — The academic study and the Pixee blog converge on the conclusion that awareness, perceived necessity, and false-positive rates are major barriers. The Log4j download data from Sonatype provides indirect evidence consistent with gradual but incomplete remediation. No sources contradict each other, but they address different facets of the question.
Independence: Moderately independent. The academic maintainer study uses a unique methodology (surveys + interviews of advisory database maintainers). The Pixee blog cites Ghost Security and OX Security benchmarks. The Sonatype data comes from their own telemetry. These are genuinely different evidence streams.
Probability Assessment¶
Confidence: Medium
Evidence Gaps¶
Expected but not found: - No longitudinal study measuring security tool adoption before and after Log4Shell was found. - No empirical measurement of 'security fatigue' as a temporal phenomenon was found. - No data on CI security tool setup time or maintenance burden was found. - No study measuring CI tooling abandonment rates was found.
Unanswered questions: - Is 'security fatigue' (post-incident surge followed by decay) a measurable phenomenon, or just an anecdotal observation? - What is the typical time from CI security tool adoption to abandonment? - Does zero-configuration tooling (like GitHub's auto-enabled Dependabot alerts) have better retention than opt-in tools?
Impact on confidence: The gaps reduce confidence primarily for the 'security fatigue' sub-question, where the answer is based on indirect evidence and inference rather than direct measurement. The barriers sub-question has stronger evidentiary support from the academic study and false-positive rate data.