No securitytesting inCI/CDpipeline“It works onmy machine”response tosecurityconcernsDeveloperssharingpasswordsviaSlack/emailSQL querywithoutparameterizedinputsMissingsecurityheaders(CSP, HSTS,etc.)"We don’thave timefor security"excuseNo inputvalidationon userinputAPI keyexposedin a publicrepositoryUsingeval() inproductioncodeDefaultpasswordsstill in useDisabledMFA onan adminaccountNo loggingor monitoringfor securityeventsUnpatchedcriticalvulnerabilityin productionLack ofRBAC(everyone isan admin)Loggingsensitivedata inplaintextOutdateddependencywith knownCVEsIgnoringsecuritywarnings independencyscansLack ofratelimiting onAPIsHardcodedcredentialsin sourcecodeOpen sourcelibrarywithout asecurityreviewPublic S3bucket withsensitivedataExposingsensitiveenvironmentvariables inlogsUnencrypteddatabasestorage forPIIMergingcode withcriticalsecurityissuesNo securitytesting inCI/CDpipeline“It works onmy machine”response tosecurityconcernsDeveloperssharingpasswordsviaSlack/emailSQL querywithoutparameterizedinputsMissingsecurityheaders(CSP, HSTS,etc.)"We don’thave timefor security"excuseNo inputvalidationon userinputAPI keyexposedin a publicrepositoryUsingeval() inproductioncodeDefaultpasswordsstill in useDisabledMFA onan adminaccountNo loggingor monitoringfor securityeventsUnpatchedcriticalvulnerabilityin productionLack ofRBAC(everyone isan admin)Loggingsensitivedata inplaintextOutdateddependencywith knownCVEsIgnoringsecuritywarnings independencyscansLack ofratelimiting onAPIsHardcodedcredentialsin sourcecodeOpen sourcelibrarywithout asecurityreviewPublic S3bucket withsensitivedataExposingsensitiveenvironmentvariables inlogsUnencrypteddatabasestorage forPIIMergingcode withcriticalsecurityissues

Software Engineering COP Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
  1. No security testing in CI/CD pipeline
  2. “It works on my machine” response to security concerns
  3. Developers sharing passwords via Slack/email
  4. SQL query without parameterized inputs
  5. Missing security headers (CSP, HSTS, etc.)
  6. "We don’t have time for security" excuse
  7. No input validation on user input
  8. API key exposed in a public repository
  9. Using eval() in production code
  10. Default passwords still in use
  11. Disabled MFA on an admin account
  12. No logging or monitoring for security events
  13. Unpatched critical vulnerability in production
  14. Lack of RBAC (everyone is an admin)
  15. Logging sensitive data in plaintext
  16. Outdated dependency with known CVEs
  17. Ignoring security warnings in dependency scans
  18. Lack of rate limiting on APIs
  19. Hardcoded credentials in source code
  20. Open source library without a security review
  21. Public S3 bucket with sensitive data
  22. Exposing sensitive environment variables in logs
  23. Unencrypted database storage for PII
  24. Merging code with critical security issues