今日已更新 166 条资讯 | 累计 20138 条内容
关于我们

I Tried to Fix a Vulnerability. A $1,400,000 AI System Said No. Twenty Days Later, That Vulnerability Cost $4,200,000.

xulingfeng 2026年06月06日 08:44 4 次阅读 来源:Dev.to

This story was shared by a fellow developer on DEV who asked to remain anonymous. If you've got a story to tell — come find me. Your name won't appear anywhere. Based on real microservice security design patterns. About an engineer whose PR got blocked by an AI security system — he thought he was fixing a vulnerability. Turns out, someone had a vested interest in that vulnerability staying open. 1. $1,400,000 All-hands meeting. CTO James stood at the front, a number on the screen: $1,400,000 "This is what we're spending on security this year." He pointed at the number. "The biggest piece — right here." He clicked the remote. VoidSentinel's architecture topology appeared on screen. "VoidSentinel — an AI security platform. Integrated into our CI/CD pipeline. Starting today, every PR involving internal service-to-service calls — it reviews them automatically." The CEO didn't show up today. James didn't mention it. He looked straight at Mark — VP of Security. Mark took the mic. "VoidSentinel has been running in our pre-production environment for three weeks. It's caught 47 high-risk patterns. Zero false positives." He paused. " — Of course, some people might feel uncomfortable when their PR gets blocked. But this isn't personal. This is the security standard. " He wasn't looking at me. But I knew who he was talking about. 2. High Risk. Denied. The story started three weeks earlier. We had a payment service and a user service that talked to each other internally. They shared an old API key — one key across thirty-plus services, unchanged for five years. It wasn't that nobody knew. It just never made it to the top of the backlog. On Day 1, I opened a PR: add independent service-to-service auth between the payment and user services. Not much code — a new token exchange module, three call sites modified. Five minutes later, VoidSentinel's automated comment hit: "High-risk alert: Unauthorized internal access pattern change detected. This PR has been automatically rejected. C

本文内容来源于互联网,版权归原作者所有
查看原文