How do you evaluate and improve security tooling to reduce attack surface while keeping the developer experience frictionless?