No inputvalidationon userinputDefaultpasswordsstill in useOpen sourcelibrarywithout asecurityreview“It works onmy machine”response tosecurityconcernsSQL querywithoutparameterizedinputsNo securitytesting inCI/CDpipelineIgnoringsecuritywarnings independencyscansNo loggingor monitoringfor securityeventsDeveloperssharingpasswordsviaSlack/emailOutdateddependencywith knownCVEsUsingeval() inproductioncodeUnpatchedcriticalvulnerabilityin productionLack ofratelimiting onAPIs"We don’thave timefor security"excusePublic S3bucket withsensitivedataDisabledMFA onan adminaccountLack ofRBAC(everyone isan admin)Exposingsensitiveenvironmentvariables inlogsAPI keyexposedin a publicrepositoryUnencrypteddatabasestorage forPIIHardcodedcredentialsin sourcecodeLoggingsensitivedata inplaintextMergingcode withcriticalsecurityissuesMissingsecurityheaders(CSP, HSTS,etc.)No inputvalidationon userinputDefaultpasswordsstill in useOpen sourcelibrarywithout asecurityreview“It works onmy machine”response tosecurityconcernsSQL querywithoutparameterizedinputsNo securitytesting inCI/CDpipelineIgnoringsecuritywarnings independencyscansNo loggingor monitoringfor securityeventsDeveloperssharingpasswordsviaSlack/emailOutdateddependencywith knownCVEsUsingeval() inproductioncodeUnpatchedcriticalvulnerabilityin productionLack ofratelimiting onAPIs"We don’thave timefor security"excusePublic S3bucket withsensitivedataDisabledMFA onan adminaccountLack ofRBAC(everyone isan admin)Exposingsensitiveenvironmentvariables inlogsAPI keyexposedin a publicrepositoryUnencrypteddatabasestorage forPIIHardcodedcredentialsin sourcecodeLoggingsensitivedata inplaintextMergingcode withcriticalsecurityissuesMissingsecurityheaders(CSP, HSTS,etc.)

Software Engineering COP Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
  1. No input validation on user input
  2. Default passwords still in use
  3. Open source library without a security review
  4. “It works on my machine” response to security concerns
  5. SQL query without parameterized inputs
  6. No security testing in CI/CD pipeline
  7. Ignoring security warnings in dependency scans
  8. No logging or monitoring for security events
  9. Developers sharing passwords via Slack/email
  10. Outdated dependency with known CVEs
  11. Using eval() in production code
  12. Unpatched critical vulnerability in production
  13. Lack of rate limiting on APIs
  14. "We don’t have time for security" excuse
  15. Public S3 bucket with sensitive data
  16. Disabled MFA on an admin account
  17. Lack of RBAC (everyone is an admin)
  18. Exposing sensitive environment variables in logs
  19. API key exposed in a public repository
  20. Unencrypted database storage for PII
  21. Hardcoded credentials in source code
  22. Logging sensitive data in plaintext
  23. Merging code with critical security issues
  24. Missing security headers (CSP, HSTS, etc.)