The problem with security scanners isn't the scanning
The article discusses the challenges developers face when using security scanners like Semgrep and Gitleaks. While these tools are effective, they often produce overwhelming amounts of output that can lead to confusion and inaction among developers without security expertise. The author emphasizes that the real issue lies not in the scanning itself, but in the noise generated by the findings, which can result in developers ignoring critical security issues.
- ▪Security scanners like Semgrep and Gitleaks are powerful tools but can generate excessive findings that overwhelm developers.
- ▪Many developers lack the expertise to triage the results, leading to inaction or burnout.
- ▪The rise of AI coding tools has exacerbated the problem by increasing the likelihood of sensitive information being inadvertently included in code.
Opening excerpt (first ~120 words) tap to expand
try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 3957444) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } wael matoussi Posted on May 29 The problem with security scanners isn't the scanning #webdev #ai #security #devops At a previous job I worked at as a Dev we had someone who ran Semgrep on our codebase for the first time. It came back with 180 findings. We had no security engineer. The developer who ran it looked at the output, closed the terminal, and we never ran it again. That's not a story about a careless team.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV.to (Top).
Discussion
0 commentsMore from DEV.to (Top)
