Security tools are supposed to help developers build safer software. But sometimes it seems like they create more frustration than security.

This episode is sponsored by Maze.

In this episode of DevSec Station, Tanya Janca explains why many security tools overwhelm developers with alerts, how alert fatigue erodes trust, and why "more findings" doesn't mean "more security." You'll learn how to tune your classic AppSec tools so they surface meaningful issues instead of creating noise that everyone eventually ignores.

You'll learn:
• why classic AppSec tools often optimize for coverage instead of developer workflows
• how alert fatigue develops and why it leads to missed vulnerabilities
• why developers ignore noise (not security)
• how to improve signal-to-noise in your existing tools
• practical ways to make security tools work with your development process

Tanya walks through a familiar scenario: running a security scan that produces hundreds of findings, spending valuable time triaging alerts, then eventually starting to ignore the noise. She explains why this isn't a developer failure; it's the predictable result of tools that don't distinguish between theoretical issues and meaningful risk.

If you do just one thing after listening to this episode:

Pick one security tool you already use (SCA, SAST, or a secrets scanner) and tune it to better respect your time.

For example:
• prioritize high-severity, reachable findings
• highlight newly introduced issues instead of historical backlog
• filter or downgrade specific types of findings your team never acts on
• configure the tool to surface issues as early as possible in your workflow

The goal isn't to ignore security, it's to make the important signals very loud and visible.

DevSec Station is a podcast by Tanya Janca (SheHacksPurple), focused on short, practical lessons that help software developers build more secure software.

Follow Tanya:

This episode is sponsored by Maze.
One of the biggest problems in security right now is that every vulnerability scanner says everything is critical, and honestly, no one has time for that.

Maze uses AI agents to investigate vulnerabilities in context, so you can focus on the issues that are actually exploitable in your environment, not just theoretically scary.

Their AI agents also generate and prioritize fixes that knock out multiple vulnerabilities at once, which is honestly the kind of scaling that security teams need right now.

Learn more about Maze https://mazehq.com/devsec

Podden och tillhörande omslagsbild på den här sidan tillhör Tanya Janca | SheHacksPurple. Innehållet i podden är skapat av Tanya Janca | SheHacksPurple och inte av, eller tillsammans med, Poddtoppen.