Q002 — Barriers to OSS Security Scanning Adoption — Input¶
Contents¶
Original Text¶
What are the primary barriers to adoption of comprehensive security scanning pipelines in open source projects, and what evidence exists for 'security fatigue' — the phenomenon where initial post-incident surges in security tooling adoption (e.g., after Log4Shell) reverse over time? What role do setup complexity, false-positive rates, and maintenance burden play in driving abandonment?
Clarified for Testability¶
What are the documented primary barriers preventing open source projects from adopting and maintaining comprehensive security scanning in CI (SAST, SCA, container scanning)? Specifically: (a) Is there empirical evidence for 'security fatigue' — a pattern where adoption of security tooling surges after major incidents (e.g., Log4Shell in Dec 2021) but then declines or plateaus over subsequent months/years? (b) What evidence exists regarding setup complexity, false-positive rates, and ongoing maintenance burden as drivers of security tooling abandonment in OSS projects?
Embedded Assumptions Surfaced¶
- Assumes 'security fatigue' is a documented or measurable phenomenon, not just anecdotal.
- Assumes barriers can be disaggregated into setup complexity, false-positive rates, and maintenance burden.
- Assumes Log4Shell (Dec 2021) is a useful reference point for measuring adoption surges.
Scope¶
| Dimension | Value |
|---|---|
| Domain | Software engineering — security tooling adoption and abandonment in open source |
| Timeframe | 2021-2025 (post-Log4Shell era) |
| Testability | Answerable through surveys (e.g., FOSS Contributor Survey, GitHub Octoverse), longitudinal CI configuration studies, and tool-specific adoption telemetry. |
Vocabulary Map¶
Primary Terms: security fatigue, tooling abandonment, false positive rate, setup complexity, maintenance burden, security scanning adoption
Domain Variants: alert fatigue, tool fatigue, security tool churn, DevSecOps barriers, scanner noise
Related Concepts: Log4Shell, Log4j, supply chain attack, shift-left security, developer experience, DX, toil