Scenario
You’re part of an AppSec team rolling out a new security scanner. You expect better coverage, but instead you get resistance from developers, alert fatigue in your triage team, and a growing backlog of unresolved findings. The root issue? You’ve deployed a busywork generator.
What Busywork Generators Do
| Pattern | Alert-heavy, outcome-light tools |
| Problem | False positives, manual triage, unresolved alerts |
| Impact | Burnout, friction, wasted time |
Security tools that push alerts without fixing the root issue often end up creating more work than value. You’re just moving the problem downstream.
“Just raise a ticket” ≠ Fix.
Symptoms of Busywork Generators
- Security tooling that creates issues but doesn’t help resolve them.
- Manual triage becomes a full-time job.
- False positives are common, and real issues are buried.
- Developer trust erodes. “Security is just creating noise.”
Dig Deeper — Ask “Why?”
Instead of patching symptoms, trace the root cause using the 5 Whys approach:
- Why did this alert trigger?
- Why wasn’t the default secure?
- Why wasn’t it caught earlier?
- Why was the responsibility misaligned?
Most root issues stem from:
- Lack of secure defaults
- Missing platform guardrails
- Poor integration into existing workflows
Shortridge’s Ice Cream Cone Model
Visualize your detection layers as an ice cream cone:
- Top = Built-in controls (secure by default)
- Middle = Automated checks (CI/CD, integrations)
- Bottom = Human effort (manual review, triage)
Busywork generators focus on the bottom layer. Shift up.
“Get Clean” vs “Stay Clean”
| Goal | Focus |
|---|---|
| Get Clean | Fix immediate issues |
| Stay Clean | Prevent issues long-term via guardrails |
Don’t aim for perfect cleanup. Just fix what matters and build mechanisms to stay clean.
Case Study – GitHub Actions Incident
An attacker compromised the popular tj-actions GitHub Action due to unpinned tags.
Root issue: No default enforcement for SHA-pinning.
Real fix:
- Proactively scan repos.
- Alert and enforce pinned versions in CI pipelines.
- Help devs stay secure by default.
Fix the System, Not Just the Symptoms
Avoid “NagOps” (constant reminders, trainings, ticket spam).
Instead, build mechanisms:
- Secure-by-default templates
- Platform-level controls and auto-enforcement
- CI/CD feedback loops with clear context
Final Thoughts
Busywork looks productive but creates burnout. Real security outcomes come from systemic, embedded solutions.
Don’t just ship alerts. Ship architecture.
Reference
Cybersecurity Antipatterns – Busywork Generators by Spaceraccoon