InertiaRSS Track and read blogs, news, and tech you care about
Read Original Open in InertiaRSS

Recommended Feeds

Google DeepMind News
Google DeepMind News
大猫的无限游戏
大猫的无限游戏
GbyAI
GbyAI
WordPress大学
WordPress大学
雷峰网
雷峰网
博客园_首页
L
LangChain Blog
Blog — PlanetScale
Blog — PlanetScale
Last Week in AI
Last Week in AI
博客园 - Franky
M
MIT News - Artificial intelligence
S
SegmentFault 最新的问题
博客园 - 【当耐特】
Jina AI
Jina AI
腾讯CDC
Y
Y Combinator Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
Stack Overflow Blog
Stack Overflow Blog
宝玉的分享
宝玉的分享
罗磊的独立博客

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python)
Alert Fatigue Is a Design Choice: Building Views That Actually Help
Jon Rose · 2026-05-20 · via DEV Community

The default dashboard in your CSPM tool is almost certainly wrong for you.

Not wrong as in broken. Wrong as in optimized for someone else's environment, someone else's priorities, someone else's risk tolerance. Out of the box, you get a generic view designed to look impressive in a demo. What you need is a view designed to help you actually fix things.

Here's what we typically see when we first log into a CSPM that hasn't been tuned: hundreds, sometimes thousands of critical and high-risk alerts. You can't even make sense of it. The dashboard is a wall of red and orange that's been that way for months. Alert fatigue is a design choice. You can make different choices.

Building Views That Work

We've built 25 to 35 custom discovery views for every environment we manage. That's not overkill. That's what it takes to see what matters. Some examples:

Publicly exposed cloud services: HTTP/HTTPS listeners across your environment. Simple inventory of web servers.

Non-web services: Anything not on ports 80 or 443. SSH servers, database interfaces, custom APIs. This list is always worth reviewing because non-web services often get less scrutiny.

Internet-facing data storage: S3 buckets, Azure storage accounts, RDS instances with public exposure. These deserve dedicated attention because the blast radius of a misconfiguration is significant.

Untagged PII locations: Assets detected with sensitive data that haven't been confirmed as legitimate. This inverse view (show me what's flagged but not yet validated) drives investigation rather than just alerting.

Each view answers a specific question. Who's exposed? What changed? Where are the gaps in our understanding?

The Tagging System

Views become powerful when combined with consistent tagging. We preload custom tags across every environment:

Known Admin: Tag identity groups, IAM roles, and individual accounts that have legitimate administrative access. Once tagged, these stop generating repetitive alerts. The interesting alert becomes "new admin access that's not on the known list."

Known PII: Tagged assets confirmed to contain personal or health information. The database holding customer records should have PII. The development server shouldn't. The interesting alert is untagged PII in unexpected places.

Accepted Risk: Tag findings that represent conscious decisions not to remediate immediately. Maybe the system is being decommissioned. Maybe the fix breaks other things. The risk is acknowledged, tracked, and periodically reviewed.

This flips the default model. Instead of dismissing alerts after you've seen them enough times, you acknowledge them explicitly up front. Your monitoring then surfaces what's genuinely new or unexpected.

IAM: Where Signal-to-Noise Hits Hardest

Identity and Access Management is where the noise problem is most acute. IAM is complex, constantly changing, and critical to get right.

The patterns we see repeatedly:

The "Developers" group with full admin: Someone created an IAM group and attached admin permissions because it was faster than figuring out exactly what developers need. Now every engineer who joins gets dropped into that group. The scanner flags it every day, and everyone ignores the alert.

QA teams with IAM permissions: We've seen outsourced QA teams granted permissions that enable privilege escalation. Not because anyone intended to give them that access, but because someone attached an AWS managed policy without understanding what was in it.

AWS managed policy surprises: You might think AWS managed policies are safe because Amazon made them. But these policies contain permissions like iam:PassRole that enable privilege escalation. Attaching "Lambda Full Access" grants the ability to pass admin roles to functions, potentially escalating from developer to admin. And these policies can change without notice.

CSPM tools flag all of this. But the flags are overwhelming unless you know which access is intentional and which is accidental.

The Long-Lived Credential Problem

IAM access keys deserve special attention because they tend to persist far longer than anyone intended.

我们发现了一些存在多年的API密钥。在其中一个案例中,是15年前的管理员密钥。上帝才知道它们现在在哪里。为某个早已消失的特定集成创建的密钥。附加到几个月或几年前离开公司的用户上的密钥。

The solution is layered:

SSO 集成: Connect your identity provider with AWS. When someone leaves the company and their account gets deactivated, their cloud access goes away automatically.

Short-lived sessions: AWS SSO CLI tools make it easy to use temporary credentials instead of static keys. You authenticate, get a session that expires, and keep working. If credentials leak, they're useless within hours.

Tag what remains: For the keys you can't eliminate, tag them with owner and business unit. When you're investigating or doing periodic reviews, you can actually trace accountability.

Container Bloat: Another Source of Noise

The noise problem extends to attack surface itself.

A pattern we see everywhere: developers install everything including the kitchen sink into container images because they don't want to troubleshoot missing dependencies. If you're not sure what the application needs to run, easier to include everything than debug what's missing.

The result is bloated images with hundreds of packages, most of which the application never touches. Every package is a potential vulnerability. Your scanner dutifully reports all of them. Now you're triaging CVEs for software you don't even use.

The solutions exist:

Slim base images: Start with minimal distributions instead of full operating systems. If you don't install a package, you don't have to patch it.

Distroless or hardened images: Chain Guard, Google's Distroless, and Docker's hardened images strip out everything except what your application actually needs. Fewer packages, fewer vulnerabilities, less noise.

Same pattern as IAM: reduce the surface area, and the signals that remain are more likely to matter.

The Takeaway

Alert fatigue is a symptom of generic configuration applied to specific environments. The cure is building views that match how you think about risk.

Tag what you know. Build views that surface what's new. Track what you're accepting. Reduce attack surface so there's less noise to begin with.

If your dashboard has been showing hundreds of critical alerts for months and nobody knows which ones actually matter this week, you're not alone. Sometimes you just need someone who's done this across dozens of environments to set things up so the tools actually work for you.

Jon Rose runsIOmergent, advising engineering-led companies on security strategy and managed cloud security operations.

This content is automatically aggregated by InertiaRSS (RSS Reader) for reading reference only. Original from — Copyright belongs to the original author.