Loggingsensitivedata inplaintextNo loggingor monitoringfor securityeventsNo securitytesting inCI/CDpipelinePublic S3bucket withsensitivedataUnpatchedcriticalvulnerabilityin productionAPI keyexposedin a publicrepositoryUsingeval() inproductioncodeExposingsensitiveenvironmentvariables inlogsOpen sourcelibrarywithout asecurityreviewLack ofRBAC(everyone isan admin)Outdateddependencywith knownCVEsLack ofratelimiting onAPIsDisabledMFA onan adminaccountNo inputvalidationon userinput"We don’thave timefor security"excuseHardcodedcredentialsin sourcecodeMissingsecurityheaders(CSP, HSTS,etc.)DeveloperssharingpasswordsviaSlack/emailIgnoringsecuritywarnings independencyscans“It works onmy machine”response tosecurityconcernsMergingcode withcriticalsecurityissuesSQL querywithoutparameterizedinputsDefaultpasswordsstill in useUnencrypteddatabasestorage forPIILoggingsensitivedata inplaintextNo loggingor monitoringfor securityeventsNo securitytesting inCI/CDpipelinePublic S3bucket withsensitivedataUnpatchedcriticalvulnerabilityin productionAPI keyexposedin a publicrepositoryUsingeval() inproductioncodeExposingsensitiveenvironmentvariables inlogsOpen sourcelibrarywithout asecurityreviewLack ofRBAC(everyone isan admin)Outdateddependencywith knownCVEsLack ofratelimiting onAPIsDisabledMFA onan adminaccountNo inputvalidationon userinput"We don’thave timefor security"excuseHardcodedcredentialsin sourcecodeMissingsecurityheaders(CSP, HSTS,etc.)DeveloperssharingpasswordsviaSlack/emailIgnoringsecuritywarnings independencyscans“It works onmy machine”response tosecurityconcernsMergingcode withcriticalsecurityissuesSQL querywithoutparameterizedinputsDefaultpasswordsstill in useUnencrypteddatabasestorage forPII

Software Engineering COP Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
  1. Logging sensitive data in plaintext
  2. No logging or monitoring for security events
  3. No security testing in CI/CD pipeline
  4. Public S3 bucket with sensitive data
  5. Unpatched critical vulnerability in production
  6. API key exposed in a public repository
  7. Using eval() in production code
  8. Exposing sensitive environment variables in logs
  9. Open source library without a security review
  10. Lack of RBAC (everyone is an admin)
  11. Outdated dependency with known CVEs
  12. Lack of rate limiting on APIs
  13. Disabled MFA on an admin account
  14. No input validation on user input
  15. "We don’t have time for security" excuse
  16. Hardcoded credentials in source code
  17. Missing security headers (CSP, HSTS, etc.)
  18. Developers sharing passwords via Slack/email
  19. Ignoring security warnings in dependency scans
  20. “It works on my machine” response to security concerns
  21. Merging code with critical security issues
  22. SQL query without parameterized inputs
  23. Default passwords still in use
  24. Unencrypted database storage for PII