Why We Stopped Chasing Every Vulnerability: “Signal-First” Security
In modern DevOps, we’ve been sold a lie: that more scanning equals more security. We’ve turned our best engineers into glorified triage bots, drowning them in a sea of “Critical” and “High” alerts that, in reality, pose zero risk to our production environment. This is security theater at its finest — high activity, low impact, and a total drain on developer morale.
At Emento, we realized that traditional Software Composition Analysis (SCA) and infrastructure scanning were generating mostly noise. True technical leadership isn’t about finding every potential bug; it’s about identifying the signal in the noise. We stopped chasing every vulnerability and started focusing on “Signal-First” security.
Focus on Reachability, Not Just Existence
Traditional SCA tools are blunt instruments. They flag a vulnerability simply because a library exists in your
node_modules. But if your application never actually calls the vulnerable function, is it really a threat? For most tools, the answer is "yes," leading to a workload where 80% of remediations are a total waste of time.We’ve shifted to Reachability Analysis using Coana (now Socket.dev). Instead of a flat list of dependencies, we look at the actual call graphs. By using static control-flow analysis, we can determine if a vulnerability is reachable within our specific program execution. This isn’t just a marginal gain; it’s a fundamental shift in efficiency. Across the industry, this approach delivers an average 81.15% noise reduction
Optimize Infrastructure Scanning Through Provisioning Logic
Our infrastructure security follows the same lean philosophy. We use Intruder.IO to monitor our production environments, but we don’t scan blindly. Because we provision our entire infrastructure via Ansible, we have a unified, predictable setup for every node — from servers, storage and load balancers to jump hosts.
In a traditional “security theater” model, you’d scan every single instance. At Emento, we scan one of each node type. If the nodes are identical and provisioned through the same CI/CD pipeline, scanning 100 of them doesn’t make you 100 times safer; it just kills your performance and inflates your bill.
Our strategy focuses on depth over redundancy:
- Inside-Out Scanning:Intruder.IO scans from within the server to detect system and configuration vulnerabilities.
- Outside-In Scanning:Intruder.IO scan from the perimeter to identify open access and exposed ports.
- API-First Security:Intruder.IO scans known APIs based on our OpenAPI specifications to find vulnerabilities in the data layer that traditional network scanners miss.
Visibility is the Ultimate Remediation Tool
Detection is worthless without a protocol for remediation. We centralize everything from Intruder.IO and Coana into a single “Security Vulnerability Monitoring and Remediation Dashboard” powered by monday.com.
Every night, an automated service pulls our vulnerability counts — Critical, High, Medium, and Low — and updates our central dashboard. We don’t just look at a list of bugs; we look at the trend lines. Our internal data shows a clear pattern: while “Low” and “Medium” vulnerabilities may fluctuate, our “High” and “Critical” count is kept consistently near zero.
Our protocol is rigid to ensure we ship fast without breaking things:
- Critical issues: Addressed ASAP.
- High issues: Remediated within a reasonable, predefined timeframe.
- Visibility: By seeing the data move over time on a chart, we can identify if a specific deployment caused a spike in exposure and roll it back immediately.
- Trends: If lower categories continuously rise in numbers this indicates deterioration in the system and must be adresses.
The “Always-On” Exposure Mindset
We’ve moved away from the “Red Teaming” model where you get a security snapshot once or twice a year. In a world of zero-day exploits, that’s just asking for a breach. We prioritize continuous attack surface management.
By having an “always-on” scanner like Intruder.IO, we catch cloud misconfigurations and emerging threats in real-time. This proactive stance is the only way to manage a modern cloud footprint.
This “slap in the face” is exactly what a CTO needs — immediate, actionable intelligence that confirms the threat is real (or that we are already safe), rather than a 50-page PDF report that arrives three months too late.
Conclusion: The Future of Lean Security
The shift from “Noise-Heavy” to “Signal-First” security is a mandatory evolution for any company that wants to manage security. We can no longer afford to waste thousands of developer hours on irrelevant alerts in the name of “compliance.”
Lean security isn’t about ignoring risks; it’s about informed risk management. By focusing on reachability, optimizing infrastructure scans through provisioning logic, and demanding high-precision tools, we’ve made security a tailwind for our development team rather than a bottleneck.
If 80% of your security alerts are irrelevant, your team isn’t protecting your product — they’re just managing a list. It’s time to stop the theater and start shipping.
