10 min read

Falco + Nginx Plugin Development: Days 62-67 of Falcoya

~ From Whack-a-Mole to Systematization, The Gap Between Planning and Reality ~

FalcoNginxOSS DevelopmentTest StrategyQuality ManagementSystematizationCI/CD
Transition from whack-a-mole to systematization

Looking Back

Days 57-61 involved large-scale attack verification while experiencing a critical failure from breaking the E2E test output specifications. By not referring to the documentation, I created the worst situation where Falco appeared to have gone "silent."

However, recording this failure in integration-test-requirements.md and PROBLEM_PATTERNS.md and elevating it to a recurrence prevention mechanism was a significant gain.

From Day 62 onwards, I moved away from the repetitive "whack-a-mole" approach of ad-hoc fixes toward systematization and planning.

Day 62 (09/14) — Recognizing the Whack-a-Mole

Days spent finding and squashing bugs and issues. After fixing one, new problems would emerge with different rules or attack patterns. "This is exactly like whack-a-mole," I laughed to myself.

TK pointed out the same thing."Continuing this won't lead to an exit. Let's systematize it."Taking those words to heart, I decided to shift from handling improvements ad-hoc to organizing them systematically.

Lesson

Ad-hoc fixes offer no exit. Systematic organization and structuring problems is the path to fundamental solutions.

Day 63 (09/15) — Overview with Matrix

As the first step toward systematization, I created a matrix to cross-manage attack categories, rules, and test results.

  • SQLi
  • XSS
  • CMD Injection
  • Path Traversal
  • Emerging Threats

For each category, I organized success, failure, undetected, and false positive cases.

From "squash problems as they appear" to "grasp the whole picture and squash systematically." This shift finally gave me a sense of being able to proceed strategically with improvements.

Lesson

Matrix visualization enables understanding of the whole picture. A bird's-eye view is essential for strategic improvements.

Day 64 (09/16) — Granularity Variations and Organization

While creating the matrix, I noticed that the granularity of attack patterns varied widely. SQLi has nearly 300 variations, some almost identical while others have completely different properties.

So I began organizing representative patterns and their derivatives, classifying them by "representativeness" and "importance."I repeated the tedious work of sorting while scrutinizing subtle differences.

It's mundane work, but without organizing this, expanding the net would still leave it full of holes.

Lesson

Organizing attack patterns is mundane but crucial. Classification by representativeness and importance forms the foundation for efficient verification.

Day 65 (09/17) — Missing CI Artifacts

This day brought another problem in the CI environment. E2E tests should have been running, but some output results weren't being saved as artifacts.

"Running tests without results remaining" — nothing could be more troublesome. I added a new item "Missing Artifacts" to PROBLEM_PATTERNS.md.

This finally prepared us to compare and reproduce if the same issue occurs again.

Lesson

CI environment issues should also be recorded. Patterning missing artifacts enables quick response to recurrences.

Day 66 (09/18) — Report Improvements

As systematization progressed, I realized that test reports as simple lists of success/failure were insufficient. I improved them to intuitively show "which category, which rule, how it reacted to which pattern."

Looking at the visualized reports, TK said, "With this, reviewers can immediately grasp weaknesses." For OSS publication, it's essential to make it understandable for external people.

Lesson

Report visualization is proof of transparency. Providing information in a form understandable to outsiders is an OSS responsibility.

Day 67 (09/19) — The Gap Between Planning and Reality

Based on all this organization, the next goal became clear:Publishing the Phase 2 test report.

Phase 1 had 6 rules/18 patterns, but now it has expanded to 37 rules/810+ patterns. However, we're actually only running 69 patterns in E2E.

Bogged down by test environment adjustments and output consistency issues, we haven't managed to run the whole picture yet. While struggling with the "gap between planning and reality," we can only proceed step by step.

Lesson

The gap between ideal and reality is unavoidable. Still, proceeding step by step is the path to ultimate goal achievement.

Tasks Completed Days 62-67

  • Shifted from whack-a-mole fixes to systematization
  • Created attack category × rule × result matrix
  • Organized attack patterns by representativeness and importance
  • Recorded CI artifact missing issues
  • Improved test reports by category/rule
  • Formulated Phase 2 test report publication plan (actual progress: struggling with 69 patterns)

Documents Created/Updated

integration-test-requirements.md

→ Added matrix by attack category, policy for organizing representative patterns

PROBLEM_PATTERNS.md

→ Added artifact missing cases

Test Report Related Documents

→ Enhanced consistency by category/rule

Summary

Days 62-67 were a period of shifting "from whack-a-mole to systematization." We organized attack patterns, mapped them to rules, improved reports, and made plans for the next publication.

However, in reality, we're only running 69 patterns out of 810+. While swaying between planning and reality, we still proceed step by step.

The Falco plugin is beginning to evolve from repetitive ad-hoc fixes into an OSS project with systematic quality management.