今日已更新 412 条资讯 | 累计 19972 条内容
关于我们

It ran it works: I audited my own security platform and found a detection engine that never ran

Saint Zero Day 2026年06月01日 14:56 6 次阅读 来源:Dev.to

I build a security platform. Last night I stopped adding features and did something less fun and more honest: I sat down to make every capability prove it actually works — end to end, with real data, demanding a real pass or fail. "It ran" is not a pass. A page that renders is not a feature. A green checkmark is a claim, not evidence. So I went capability by capability and tried to break each one. I found four real bugs and one of them was a gut-punch: a whole detection engine that was wired into the UI, unit-tested, and never actually ran in production. Here's how the night went. The rule: drive it, don't admire it My method was boring on purpose. For each capability: Feed it real input through the real entry point (CLI or API), not a test fixture. Check the data actually landed (query the DB, don't trust the success message). Feed it a malicious input and a benign input — it has to fire on one and stay quiet on the other. The detection engine passed cleanly. I threw a PsExec process event at it and it lit up: $ zds-core detection eval --event '{"event_type":"process_create","process_name":"psexec.exe"}' 1 alert ( s ) : [ high] PsExec Execution — ( matched: map[process_name:psexec.exe] ) A wevtutil cl Security event tripped a critical "Log Clearing" rule. A plain notepad.exe matched nothing. Good — it detects, and it doesn't cry wolf. (Small UX papercut I fixed while I was there: if you forgot the event_type field, the engine silently matched nothing and printed "no rules matched" — which reads exactly like "you're safe." Now it warns you that the event can't match any rule. Silence that looks like safety is the most dangerous output a security tool can produce.) The one that hurt: ITDR Identity Threat Detection and Response. The engine has detectors for impossible travel, credential spraying, brute force, privilege escalation. All unit-tested. All green. I ran the real flow: POST two login events for one user — New York, then London thirty minutes later. That's ~5

本文内容来源于互联网,版权归原作者所有
查看原文