Lack ofRBAC(everyone isan admin)Mergingcode withcriticalsecurityissuesPublic S3bucket withsensitivedata“It works onmy machine”response tosecurityconcernsOutdateddependencywith knownCVEsNo inputvalidationon userinputExposingsensitiveenvironmentvariables inlogsUsingeval() inproductioncodeDisabledMFA onan adminaccountDefaultpasswordsstill in useNo securitytesting inCI/CDpipelineIgnoringsecuritywarnings independencyscansHardcodedcredentialsin sourcecodeDeveloperssharingpasswordsviaSlack/emailUnpatchedcriticalvulnerabilityin productionAPI keyexposedin a publicrepositoryUnencrypteddatabasestorage forPIIMissingsecurityheaders(CSP, HSTS,etc.)No loggingor monitoringfor securityeventsSQL querywithoutparameterizedinputsOpen sourcelibrarywithout asecurityreviewLoggingsensitivedata inplaintextLack ofratelimiting onAPIs"We don’thave timefor security"excuseLack ofRBAC(everyone isan admin)Mergingcode withcriticalsecurityissuesPublic S3bucket withsensitivedata“It works onmy machine”response tosecurityconcernsOutdateddependencywith knownCVEsNo inputvalidationon userinputExposingsensitiveenvironmentvariables inlogsUsingeval() inproductioncodeDisabledMFA onan adminaccountDefaultpasswordsstill in useNo securitytesting inCI/CDpipelineIgnoringsecuritywarnings independencyscansHardcodedcredentialsin sourcecodeDeveloperssharingpasswordsviaSlack/emailUnpatchedcriticalvulnerabilityin productionAPI keyexposedin a publicrepositoryUnencrypteddatabasestorage forPIIMissingsecurityheaders(CSP, HSTS,etc.)No loggingor monitoringfor securityeventsSQL querywithoutparameterizedinputsOpen sourcelibrarywithout asecurityreviewLoggingsensitivedata inplaintextLack ofratelimiting onAPIs"We don’thave timefor security"excuse

Software Engineering COP Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
  1. Lack of RBAC (everyone is an admin)
  2. Merging code with critical security issues
  3. Public S3 bucket with sensitive data
  4. “It works on my machine” response to security concerns
  5. Outdated dependency with known CVEs
  6. No input validation on user input
  7. Exposing sensitive environment variables in logs
  8. Using eval() in production code
  9. Disabled MFA on an admin account
  10. Default passwords still in use
  11. No security testing in CI/CD pipeline
  12. Ignoring security warnings in dependency scans
  13. Hardcoded credentials in source code
  14. Developers sharing passwords via Slack/email
  15. Unpatched critical vulnerability in production
  16. API key exposed in a public repository
  17. Unencrypted database storage for PII
  18. Missing security headers (CSP, HSTS, etc.)
  19. No logging or monitoring for security events
  20. SQL query without parameterized inputs
  21. Open source library without a security review
  22. Logging sensitive data in plaintext
  23. Lack of rate limiting on APIs
  24. "We don’t have time for security" excuse