惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Hacker News: Ask HN
Hacker News: Ask HN
WordPress大学
WordPress大学
T
The Blog of Author Tim Ferriss
The GitHub Blog
The GitHub Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 聂微东
A
About on SuperTechFans
Stack Overflow Blog
Stack Overflow Blog
雷峰网
雷峰网
Microsoft Azure Blog
Microsoft Azure Blog
腾讯CDC
爱范儿
爱范儿
酷 壳 – CoolShell
酷 壳 – CoolShell
博客园 - 【当耐特】
V
Visual Studio Blog
有赞技术团队
有赞技术团队
U
Unit 42
D
Docker
小众软件
小众软件
F
Full Disclosure
I
Intezer
Scott Helme
Scott Helme
P
Privacy International News Feed
P
Proofpoint News Feed
Engineering at Meta
Engineering at Meta
Google DeepMind News
Google DeepMind News
B
Blog
Martin Fowler
Martin Fowler
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Vercel News
Vercel News
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Spread Privacy
Spread Privacy
宝玉的分享
宝玉的分享
S
Security Affairs
www.infosecurity-magazine.com
www.infosecurity-magazine.com
月光博客
月光博客
C
Cisco Blogs
云风的 BLOG
云风的 BLOG
Schneier on Security
Schneier on Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
Threat Research - Cisco Blogs
量子位
Hacker News - Newest:
Hacker News - Newest: "LLM"
H
Heimdal Security Blog
N
Netflix TechBlog - Medium
H
Hacker News: Front Page
P
Proofpoint News Feed
G
GRAHAM CLULEY
V
Vulnerabilities – Threatpost
S
Schneier on Security

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Beyond the Scanner: When You Need Custom Tooling for Cloud Security
Jon Rose · 2026-06-23 · via DEV Community

We're fans of cloud security tools. Prowler, Wiz, Orca, Scout. There are dozens of options, with new ones appearing regularly. They automate the heavy lifting of querying cloud environments and correlate findings across services.

But every scanner has limitations. And sometimes you need to build your own.

How CSPM Tools Work (And Where They Stop)

Cloud providers like AWS and Azure have well-documented, standard APIs. What you test in one tool you could test in another, or run yourself via the AWS CLI. The major CSPM platforms do this at scale--connecting to control planes, pulling configuration data, scanning data stores, and correlating findings.

What they can't do is make every decision perfectly for your environment.

Every vulnerability scanner and CSPM tool involves design decisions:

  • When to report a finding
  • How much detail to provide
  • How to handle edge cases
  • What counts as "critical" vs. "high" vs. "medium"

These decisions involve tradeoffs. The scanner team optimizes for the common case, the typical user, the expected configuration. That's reasonable engineering. But it means some findings that matter to you won't surface, and some that don't matter will.

Recognizing the Limits

When you run these tools daily across many environments, you start to see the nuances. You find yourself asking: Why didn't this show up? Why did that get flagged? You dig into the alert logic and start to reverse-engineer the decisions made by the original signature designers.

Sometimes you don't agree with those decisions.

At that point, you have two options:

  1. File a bug report: Explain your perspective to the vendor. Maybe they agree and update the scanner. Maybe they don't, or maybe it's low priority for them.

  2. Build your own tooling: Augment the scanner with scripts, automation, and additional checks that fill the gaps.

We usually try both. But often, building your own tools is faster than waiting for vendor changes.

What Custom Tooling Looks Like

This isn't about replacing your CSPM. It's about extending it.

Read-only audit roles: We always set up a dedicated security audit role in cloud environments. A read-only account that our automation can use to double-check CSPM findings, validate alerts, and go deeper than the scanner goes.

Validation scripts: Small scripts that verify scanner findings. Did the CSPM flag this correctly? Is the context accurate? Especially useful for edge cases where scanner logic is uncertain.

Gap filling: New AWS services or features that aren't covered yet. Edge cases that the scanner handles partially. Specific configurations that matter to your environment but aren't general enough for the vendor to prioritize.

Custom correlation: Pulling data from multiple sources and correlating it in ways the CSPM doesn't. Combining scanner output with access logs, business metadata, or findings from other tools.

The goal is a consolidated view that brings together CSPM findings, custom checks, and business context into something actionable.

Where Gaps Commonly Appear

Some areas where we consistently see CSPM tools fall short:

Identity and Access Management: IAM is complex and constantly evolving. Most tools flag obvious issues like stale keys, overly broad policies, and known privilege escalation paths. But the nuances of who should have access to what in your specific organization require custom analysis.

Data Security Posture: DSPM scanners find sensitive data, but the false positive rate can be high. Third-party dependencies with contributor emails get flagged, and build artifacts with test data trigger alerts. Custom policies help filter the noise.

Attack Surface Reachability: Understanding what's truly reachable from the internet vs. what just looks exposed requires combining multiple data sources. Scanner enrichments don't always get it right.

Vulnerability Prioritization: Beyond CVSS scores, true prioritization needs business context that scanners can't know: customer impact, revenue implications, contractual obligations.

Patch Management: Identifying what needs patching is one thing. Understanding the blast radius of patching it, the dependencies involved, and the operational impact requires additional analysis.

Infrastructure-as-Code Root Causes: A client had a security group flagged as overly permissive, with 65,000 IP addresses allowed in. The scanner caught it. But understanding why required tracing it back through their Terraform code. Turns out the CIDR range had a typo, off by one digit, and it was actually copied from an example in Terraform's documentation. Those 65,000 addresses belonged to AT&T customers in Florida. The scanner found the symptom; custom analysis found the root cause.

Secrets in Build Artifacts: Another client did everything right with secrets management. They used GitHub Secrets, never committed credentials to code, and GitHub Advanced Security showed clean. But their build process injected an AWS access key into client-facing JavaScript during compilation, and that artifact got pushed to S3. GitHub's scanning doesn't see post-build artifacts. That's not what it's designed for. The fix was adding detect-secrets as a post-build GitHub Action to scan what was actually being deployed. Nobody expected secrets to appear after the build. That's the gap custom tooling fills.

These are areas where small, focused vendors often emerge to fill specific gaps. We partner with some of them. We build alternatives when we can't find good options.

The Resource Reality

Most security teams can't do this.

If you're running a CSPM as part of your job, one of twelve priorities on your daily list, you probably don't have time to:

  • Deep-dive into scanner limitations
  • Enumerate edge cases and form opinions about them
  • Build custom tooling to extend coverage
  • Maintain that tooling as cloud services evolve

Before you know it, you've got a Frankenstein platform held together with scripts and scheduled jobs. Maintained as a side project. Increasingly fragile.

This is where dedicated focus matters. If cloud security is your full-time job and not one of many responsibilities, you have the bandwidth to go deep, stay current, and maintain the additional tooling that turns generic coverage into comprehensive visibility.

The Ecosystem Response

The gaps in CSPM tools aren't secrets. The market responds by creating small vendors that target specific pain points. Data security specialists. IAM analyzers. Attack surface mappers.

These tools can be valuable, but integrating them adds complexity. Another dashboard. Another data source. Another thing to maintain.

The alternative is building in-house, if you have the engineering capacity and sustained focus. The advantage of custom tooling is that it does exactly what you need. The disadvantage is that you're now responsible for maintaining it.

Questions to Ask

When you're building a comprehensive view of cloud security, consider:

  • How deep do you want to go? Generic coverage or nuanced analysis?
  • How much coverage do you actually need? What risks matter most?
  • What's your opinion on scanner decisions? Do you agree with how your CSPM handles edge cases?
  • Do you have capacity to maintain custom tooling? Or will scripts accumulate and rot?

There's no universal answer. The right approach depends on your environment, your risk tolerance, and your resources.

The Takeaway

CSPM tools are essential. They do the heavy lifting that would be impossible manually. But they're not complete.

Every scanner makes decisions you might disagree with. Every platform has edge cases it handles imperfectly. If you want truly comprehensive cloud security, you need to either accept those limitations or extend beyond them.

The question is whether you have the time and expertise to build and maintain that extended coverage.

If you've noticed gaps in your CSPM but don't have bandwidth to build custom tooling, or you've tried and ended up with a fragile collection of scripts that nobody wants to maintain, you're facing a common problem. Sometimes it makes sense to bring in a team that's already built this infrastructure across many environments, rather than reinventing it yourself.


Jon Rose runs IOmergent, advising engineering-led companies on security strategy and managed cloud security operations.