Project ideas from Hacker News discussions.

Sleeper Shells: Attackers Are Planting Dormant Backdoors in Ivanti EPMM

Original Article

Hacker News Discussion

📝 Discussion Summary (Click to expand)

Three prevailing themes

Theme	Key idea	Supporting quotes
1. Ivanti is a security liability	Users see the company’s products as dangerous, even “malware dressed‑up as security solutions.”	mmsc: “Every single Ivanti product (including their SSL‑VPN) should be considered a critical threat.” mmsc: “These companies should be shut down in the name of national security, seriously.”
*2. The industry sells illusion* through checklists and insurance**	Cyber‑security firms are judged by compliance boxes, not by real protection; lawsuits and liability are murky.	Nextgrid: “The purpose of cybersecurity products and companies is not to sell security… it’s to sell the illusion of security.” strbean: “In most cases, you can’t evade liability for negligence that results in personal injury.” bootsmann: “Insurance doesn’t pay out if you don’t self‑report in time.”
3. Real security requires engineering, not off‑the‑shelf fixes	Automation and a security‑by‑design mindset are needed; checklists alone are insufficient.	RGamma: “There need to be much more powerful automated tools.” nostrademons: “Real security isn’t something that a checklist can guarantee.” w10‑1: “You are asserting that security has to be hand‑crafted.”

These three threads—Ivanti’s perceived danger, the industry’s reliance on compliance, and the call for genuine engineering—dominate the discussion.

🚀 Project Ideas

Generating project ideas…

Vendor Security Scorecard

Summary

A SaaS platform that automatically audits third‑party security products (e.g., Ivanti, Fortinet) for known vulnerabilities, verifies vendor claims, and assigns a transparent security score.
Provides actionable evidence for procurement, compliance, and insurance underwriting, turning opaque “security” claims into measurable data.

Details

Key	Value
Target Audience	SMB security teams, compliance officers, insurance underwriters
Core Feature	Automated static/dynamic analysis, CVE mapping, claim verification, scorecard & evidence export
Tech Stack	Go/Python, Docker, OWASP ZAP, Snyk API, PostgreSQL, React
Difficulty	Medium
Monetization	Revenue‑ready: tiered subscription per vendor audit

Notes

HN commenters lament that “real security isn’t something that a checklist can guarantee” and that “you have to build it into the product architecture.” This tool gives a concrete metric instead of vague checklists.
It fuels discussion on whether vendors can be held accountable and provides a practical way for small startups to vet expensive security solutions.

Enterprise App Sandbox

Summary

A lightweight, policy‑driven sandbox that automatically runs enterprise applications (MDM, endpoint managers, etc.) with minimal filesystem and network access, enforcing least privilege at runtime.
Eliminates the risk of “full filesystem access and network for anything” and reduces the attack surface for vulnerable vendors.

Details

Key	Value
Target Audience	IT admins, security engineers in mid‑size companies
Core Feature	Auto‑detect app binaries, apply SELinux/AppArmor profiles, network isolation, real‑time monitoring
Tech Stack	Linux containers, Kata Containers, SELinux, AppArmor, Go, Grafana
Difficulty	High
Monetization	Hobby (open‑source core, optional paid support)

Notes

Users complained that “Gave up configuring SELinux years ago because it was too time‑consuming.” This tool automates that process.
Sparks debate on whether “secure software components that only work when assembled in secure ways” can be enforced automatically.

Compliance Evidence Generator

Summary

A continuous‑integration‑friendly service that maps insurance or regulatory checklists to automated tests, collects evidence, and generates audit‑ready reports.
Turns the “checklist” burden into a repeatable, low‑friction workflow, especially for startups that “have no network engineer on staff.”

Details

Key	Value
Target Audience	Startups, compliance teams, small‑to‑mid‑size enterprises
Core Feature	Checklist‑to‑test mapping, IaC integration, evidence capture, audit trail
Tech Stack	Python, Terraform, GitHub Actions, SQLite, Flask
Difficulty	Medium
Monetization	Revenue‑ready: freemium with paid audit‑reporting add‑ons

Notes

Reflects the frustration that “checklists are the bane of my existence” and that many requirements “do not actually add any level of security.”
Provides a practical utility for teams to prove compliance without hiring a full‑time security engineer.