Missingsecurityheaders(CSP, HSTS,etc.)Lack ofratelimiting onAPIsOutdateddependencywith knownCVEsNo inputvalidationon userinput“It works onmy machine”response tosecurityconcernsMergingcode withcriticalsecurityissuesLoggingsensitivedata inplaintext"We don’thave timefor security"excuseDefaultpasswordsstill in useOpen sourcelibrarywithout asecurityreviewDisabledMFA onan adminaccountLack ofRBAC(everyone isan admin)Hardcodedcredentialsin sourcecodeUnencrypteddatabasestorage forPIIExposingsensitiveenvironmentvariables inlogsNo loggingor monitoringfor securityeventsUnpatchedcriticalvulnerabilityin productionUsingeval() inproductioncodePublic S3bucket withsensitivedataDeveloperssharingpasswordsviaSlack/emailSQL querywithoutparameterizedinputsIgnoringsecuritywarnings independencyscansAPI keyexposedin a publicrepositoryNo securitytesting inCI/CDpipelineMissingsecurityheaders(CSP, HSTS,etc.)Lack ofratelimiting onAPIsOutdateddependencywith knownCVEsNo inputvalidationon userinput“It works onmy machine”response tosecurityconcernsMergingcode withcriticalsecurityissuesLoggingsensitivedata inplaintext"We don’thave timefor security"excuseDefaultpasswordsstill in useOpen sourcelibrarywithout asecurityreviewDisabledMFA onan adminaccountLack ofRBAC(everyone isan admin)Hardcodedcredentialsin sourcecodeUnencrypteddatabasestorage forPIIExposingsensitiveenvironmentvariables inlogsNo loggingor monitoringfor securityeventsUnpatchedcriticalvulnerabilityin productionUsingeval() inproductioncodePublic S3bucket withsensitivedataDeveloperssharingpasswordsviaSlack/emailSQL querywithoutparameterizedinputsIgnoringsecuritywarnings independencyscansAPI keyexposedin a publicrepositoryNo securitytesting inCI/CDpipeline

Software Engineering COP Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
  1. Missing security headers (CSP, HSTS, etc.)
  2. Lack of rate limiting on APIs
  3. Outdated dependency with known CVEs
  4. No input validation on user input
  5. “It works on my machine” response to security concerns
  6. Merging code with critical security issues
  7. Logging sensitive data in plaintext
  8. "We don’t have time for security" excuse
  9. Default passwords still in use
  10. Open source library without a security review
  11. Disabled MFA on an admin account
  12. Lack of RBAC (everyone is an admin)
  13. Hardcoded credentials in source code
  14. Unencrypted database storage for PII
  15. Exposing sensitive environment variables in logs
  16. No logging or monitoring for security events
  17. Unpatched critical vulnerability in production
  18. Using eval() in production code
  19. Public S3 bucket with sensitive data
  20. Developers sharing passwords via Slack/email
  21. SQL query without parameterized inputs
  22. Ignoring security warnings in dependency scans
  23. API key exposed in a public repository
  24. No security testing in CI/CD pipeline