Cut the Noise: Make Your Security Tools Actually Work for You

Summary

Installing a security tool is the easy part. The hard part begins on “Day 2,” when that tool reports 5,000 new vulnerabilities. This phase is known as operationalisation. Without a plan, your security team will be overwhelmed by data, and your developers will overlook the alerts.

To prepare for this influx of data, consider implementing a “Day 2 Readiness Checklist.” This checklist should be created and maintained by security leads or designated tool administrators. They are responsible for ensuring the checklist aligns with company policies and that it is effectively enforced to guarantee accountability and smooth adoption.

Verify the configuration of your security tool to ensure it aligns with your company’s cybersecurity policies.
Conduct a dry run with a small data set to familiarise your team with the tool’s output.
Identify key personnel responsible for handling certain vulnerabilities.
Schedule regular review meetings to address and prioritise critical issues identified by the tool.
Allocate resources for continuous monitoring and updating of the tool settings based on feedback.

By setting these foundations, your team can transition smoothly from installation to operation, ready to act on insights from the security tool.

This guide focuses on Vulnerability Management. You will learn how to filter out duplicate alerts (deduplication), manage false alarms (false positives), and track the metrics that actually measure success.

The goal is to move from “finding bugs” to “fixing risks” without slowing down your business.

1. The “Day 2” Problem: From Installation to Operation

Most teams do well on “Day 1” by installing the scanner, but struggle on “Day 2” when it comes to managing the results. It’s like putting in a new smoke detector that goes off every time you make toast.

Eventually, you remove the batteries. The same happens with security tools. If a scanner reports 500 “Critical” issues on the first day, developers will likely assume the tool is malfunctioning and disregard it. This isn’t just a waste of security efforts but a significant risk; developer trust is undermined, leading to potential neglect of future alerts.

The hidden cost of this lost trust can be severe, resulting in a decreased sense of security within the team and reduced adherence to a security-first mindset. It’s crucial to curate the data before showing it to the engineering team. This cautious approach preserves trust, ensuring developers engage with alerts meaningfully, rather than succumbing to alert fatigue.

2. The Art of Triage and Deduplication

Create an ‘Ingestion Policy’ to guide the handling of scan results and avoid overwhelming developers with raw data. By framing this as a policy, you help institutionalise the practice across all security tools, ensuring consistency and reliability.

For instance, security tools often overlap; you might employ a SAST tool for code, an SCA tool for libraries, and a Container Scanner for Docker images. These tools can all detect the same bug. Therefore, it is important to have a policy that prevents raw scan results from being directly added to a developer’s backlog in Jira or Azure DevOps.

What is Deduplication?

Deduplication is the process of combining multiple alerts for the same problem into a single ticket.

Real-World Example: Imagine your application uses a logging library with a known vulnerability (like Log4j):

SCA Tool sees log4j.jar and screams “Vulnerability!”
Container Scanner sees log4j inside your Docker image and screams “Vulnerability!”
SAST Tool sees a reference to LogManager in your code and screams “Vulnerability!”

Without Deduplication: Your developer gets 3 separate tickets for the same bug. They get frustrated and close them all.

With deduplication, the system sees that all these alerts are about “Log4j” and creates one ticket with evidence from all three tools.

Actionable Tip: Use an ASPM (Application Security Posture Management) tool like Plexicus ASPM.

These act as a “funnel,” collecting all scans, removing duplicates, and sending only unique, verified issues to Jira.

3. Managing False Positives

A False Positive is when a security tool flags safe code as dangerous. It is the “boy who cried wolf” of cybersecurity. Beyond just being an annoyance, false positives carry an opportunity cost, draining precious team hours that could have been spent addressing real vulnerabilities.

Quantifying the impact, a single mistaken alert could mislead developers, wasting around five to ten hours; time that ideally should improve security, not detract from it. Thus, tuning tools is not just a technical necessity but a strategic move to optimise your security ROI.

There’s an unofficial rule among developers: if they get 10 security alerts and 9 are false alarms, they’ll probably ignore the 10th, even if it’s real.

You must keep the signal-to-noise ratio high to maintain trust.

How to Fix False Positives

Do not ask developers to fix false positives. Instead, “tune” the tool so it stops reporting them.

Example 1: The “Test File” Error

The Alert: Your scanner finds a “Hardcoded Password” in test-database-config.js.
The Reality: This is a dummy password (admin123) used only for testing on a laptop. It will never go to production.
The Fix: Configure your scanner to exclude all files in the /tests/ or /spec/ folders.

Example 2: The “Sanitiser” Error

The Alert: The scanner says “Cross-Site Scripting (XSS)” because you are accepting user input.
The Reality: You wrote a custom function called cleanInput() that makes the data safe, but the tool doesn’t know that.
The Fix: Add a “Custom Rule” to the tool settings that tells it: “If data passes through cleanInput(), mark it as Safe.”

The Peer Review Process

Sometimes, a tool is technically right, but the risk doesn’t matter (e.g., a bug in an internal admin tool behind a firewall).

Strategy:

Allow developers to mark an issue as “Won’t Fix” or “False Positive,” but require one other person (a peer or security champion) to approve that decision. This removes the bottleneck of waiting for the central security team.

4. Metrics That Matter

How do you prove your security program is working? Avoid “Vanity Metrics” like “Total Vulnerabilities Found.” If you find 10,000 bugs but fix 0, you are not secure.

Track these 4 KPIs (Key Performance Indicators):

Metric	Simple Definition	Why It Matters
Scan Coverage	What % of your projects are being scanned?	You can’t fix what you can’t see. A goal of 100% coverage is better than finding deep bugs in only 10% of apps.
MTTR (Mean Time To Remediate)	On average, how many days does it take to fix a Critical bug?	This measures velocity. If it takes 90 days to fix a critical bug, hackers have 3 months to attack you. Aim to lower this number.
Fix Rate	(Bugs Fixed) ÷ (Bugs Found)	This measures culture. If you find 100 bugs and fix 80, your rate is 80%. If this rate is low, your developers are overwhelmed.
Build Fail Rate	How often does security stop a deployment?	If security breaks the build 50% of the time, your rules are too strict. This creates friction. A healthy rate is usually under 5%.

Summary Checklist for Success

Start Quietly: Run tools in “Audit Mode” (no blocking) for the first 30 days to gather data.
Deduplicate: Use a central platform to group duplicate findings before they hit the developer’s board.
Tune Aggressively: Spend time configuring the tool to ignore test files and known safe patterns.
Measure Velocity: Focus on how fast you fix bugs (MTTR), not just how many you find.

Frequently Asked Questions (FAQ)

What is a False Positive?

A false positive occurs when a security tool flags safe code as a vulnerability, causing unnecessary alerts and wasted effort.

What is a False Negative?

A false negative happens when a real vulnerability goes undetected, creating a hidden risk.

Which is worse?

Both are problematic. Too many false positives overwhelm developers and erode trust, while false negatives mean real threats go unnoticed. The goal is to balance noise reduction with thorough detection.

How to handle false positives?

Tune your tools by excluding known safe files or adding custom rules instead of asking developers to fix these false alarms.

I have 5,000 old vulnerabilities. Should I stop development to fix them?

No. This will bankrupt the company. Use the “Stop the Bleeding” strategy. Focus on fixing new vulnerabilities introduced in code written today. Put the 5,000 old issues into a “Technical Debt” backlog and fix them slowly over time (e.g., 10 per sprint).

Can AI help with false positives?

Yes. Many modern tools use AI to grade the probability of an exploit. If the AI sees that a vulnerable library is loaded but never actually used by your application, it can automatically mark it as “Low Risk” or “Unreachable,” saving you time.

Written by

José Palanco

José Ramón Palanco is the CEO/CTO of Plexicus, a pioneering company in ASPM (Application Security Posture Management) launched in 2024, offering AI-powered remediation capabilities. Previously, he founded Dinoflux in 2014, a Threat Intelligence startup that was acquired by Telefonica, and has been working with 11paths since 2018. His experience includes roles at Ericsson`s R&D department and Optenet (Allot). He holds a Telecommunications Engineering degree from the University of Alcala de Henares and a Master`s in IT Governance from the University of Deusto. As a recognized cybersecurity expert, he has been a speaker at various prestigious conferences including OWASP, ROOTEDCON, ROOTCON, MALCON, and FAQin. His contributions to the cybersecurity field include multiple CVE publications and the development of various open source tools such as nmap-scada, ProtocolDetector, escan, pma, EKanalyzer, SCADA IDS, and more.