Public S3bucket withsensitivedataNo securitytesting inCI/CDpipelineLoggingsensitivedata inplaintextLack ofRBAC(everyone isan admin)"We don’thave timefor security"excuseIgnoringsecuritywarnings independencyscansDefaultpasswordsstill in useUnpatchedcriticalvulnerabilityin productionDeveloperssharingpasswordsviaSlack/emailAPI keyexposedin a publicrepositoryNo inputvalidationon userinputDisabledMFA onan adminaccountOpen sourcelibrarywithout asecurityreviewHardcodedcredentialsin sourcecodeSQL querywithoutparameterizedinputsUsingeval() inproductioncode“It works onmy machine”response tosecurityconcernsOutdateddependencywith knownCVEsExposingsensitiveenvironmentvariables inlogsLack ofratelimiting onAPIsUnencrypteddatabasestorage forPIINo loggingor monitoringfor securityeventsMissingsecurityheaders(CSP, HSTS,etc.)Mergingcode withcriticalsecurityissuesPublic S3bucket withsensitivedataNo securitytesting inCI/CDpipelineLoggingsensitivedata inplaintextLack ofRBAC(everyone isan admin)"We don’thave timefor security"excuseIgnoringsecuritywarnings independencyscansDefaultpasswordsstill in useUnpatchedcriticalvulnerabilityin productionDeveloperssharingpasswordsviaSlack/emailAPI keyexposedin a publicrepositoryNo inputvalidationon userinputDisabledMFA onan adminaccountOpen sourcelibrarywithout asecurityreviewHardcodedcredentialsin sourcecodeSQL querywithoutparameterizedinputsUsingeval() inproductioncode“It works onmy machine”response tosecurityconcernsOutdateddependencywith knownCVEsExposingsensitiveenvironmentvariables inlogsLack ofratelimiting onAPIsUnencrypteddatabasestorage forPIINo loggingor monitoringfor securityeventsMissingsecurityheaders(CSP, HSTS,etc.)Mergingcode withcriticalsecurityissues

Software Engineering COP Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
  1. Public S3 bucket with sensitive data
  2. No security testing in CI/CD pipeline
  3. Logging sensitive data in plaintext
  4. Lack of RBAC (everyone is an admin)
  5. "We don’t have time for security" excuse
  6. Ignoring security warnings in dependency scans
  7. Default passwords still in use
  8. Unpatched critical vulnerability in production
  9. Developers sharing passwords via Slack/email
  10. API key exposed in a public repository
  11. No input validation on user input
  12. Disabled MFA on an admin account
  13. Open source library without a security review
  14. Hardcoded credentials in source code
  15. SQL query without parameterized inputs
  16. Using eval() in production code
  17. “It works on my machine” response to security concerns
  18. Outdated dependency with known CVEs
  19. Exposing sensitive environment variables in logs
  20. Lack of rate limiting on APIs
  21. Unencrypted database storage for PII
  22. No logging or monitoring for security events
  23. Missing security headers (CSP, HSTS, etc.)
  24. Merging code with critical security issues