Q002 — Barriers to Security Scanning: Complexity Over Fatigue — Self-Audit¶
Contents¶
Process Audit (Analytical Domains)¶
| Domain | Rating | Rationale |
|---|---|---|
| Evaluation Consistency | Concern | The false positive rate data (68-91%) came primarily from vendor sources with high conflict-of-interest ratings (Pixee, Ghost Security). These were flagged in scorecards but the synthesis gave them su |
| Synthesis Fairness | Pass | The synthesis fairly weighted academic evidence (mixed-methods maintainer study) over vendor evidence (Pixee, Sonatype). The conclusion appropriately reframed 'security fatigue' as 'structural barrier |
Source-Back Verification¶
Sources verified: 3
Discrepancies¶
- minor at https://www.pixee.ai/blog/sast-false-positives-reduction
- Assessment claims: SAST false positive rates range from 68% (NIST) to 91% (Ghost Security on OSS)
- Source actually says: The evidence packet quotes: 'Security engineers spend 50-80% of their time on manual triage. Veracode found that only 11.3% of discovered flaws pose real-world danger.' The 68% NIST figure and 91% Ghost Security figure are referenced in the synthesis but the specific verbatim excerpts in the evidence packets focus on the triage burden (50-80%) and the 11.3% real danger rate. The 68% and 91% figures appear to come from the scorecard content summary rather than from surviving evidence packets.