Q002 — Barriers to Security Scanning: Complexity Over Fatigue — Input

Contents

• Original Text
• Clarified for Testability
• Embedded Assumptions Surfaced
• Scope
• Vocabulary Map

Original Text

What are the primary barriers to adoption of comprehensive security scanning pipelines in open source projects, and what evidence exists for 'security fatigue' — the phenomenon where initial post-incident surges in security tooling adoption (e.g., after Log4Shell) reverse over time? What role do setup complexity, false-positive rates, and maintenance burden play in driving abandonment?

Clarified for Testability

What does the available evidence identify as the primary barriers preventing open source projects from adopting comprehensive security scanning pipelines (SAST, SCA, container scanning, etc.)? Specifically: (1) Is there empirical evidence for 'security fatigue' — a pattern where adoption of security tools surges after major incidents (such as Log4Shell in December 2021) but then declines over subsequent months/years? (2) What is the measured or reported impact of three specific barrier categories: setup/configuration complexity, false-positive rates in security tooling output, and ongoing maintenance burden of keeping security tooling operational?

Embedded Assumptions Surfaced

• Assumes 'security fatigue' is a real phenomenon — this is itself a claim embedded in the query that should be tested rather than assumed.
• Assumes Log4Shell is a representative incident for measuring post-incident adoption surges — other incidents may show different patterns.
• Assumes setup complexity, false-positive rates, and maintenance burden are the primary barriers — other barriers (cost, lack of expertise, organizational resistance) may be more significant.

Scope

Dimension	Value
Domain	Software security — adoption barriers and sustainability of security practices in open source
Timeframe	2021-2025 (post-Log4Shell era)
Testability	Testable via surveys of OSS maintainers, longitudinal studies of CI configuration changes, analysis of GitHub Actions workflow modifications over time, and vendor reports on tooling adoption trends.

Vocabulary Map

Primary Terms: security fatigue, alert fatigue, security tooling adoption, false positive rate, setup complexity, maintenance burden

Domain Variants: security tool abandonment, scanning fatigue, developer friction, tool sprawl, noise ratio, signal-to-noise, developer experience

Related Concepts: Log4Shell, CVE-2021-44228, supply chain security incidents, maintainer burnout, open source sustainability, developer productivity, DevSecOps adoption barriers

← Back to item overview