Missingsecurityheaders(CSP, HSTS,etc.)Mergingcode withcriticalsecurityissuesDeveloperssharingpasswordsviaSlack/emailNo loggingor monitoringfor securityeventsUsingeval() inproductioncodeLoggingsensitivedata inplaintextDefaultpasswordsstill in useUnpatchedcriticalvulnerabilityin productionOutdateddependencywith knownCVEsIgnoringsecuritywarnings independencyscansNo inputvalidationon userinputLack ofRBAC(everyone isan admin)SQL querywithoutparameterizedinputsDisabledMFA onan adminaccountAPI keyexposedin a publicrepositoryUnencrypteddatabasestorage forPIINo securitytesting inCI/CDpipelineHardcodedcredentialsin sourcecodeLack ofratelimiting onAPIsExposingsensitiveenvironmentvariables inlogs"We don’thave timefor security"excuseOpen sourcelibrarywithout asecurityreviewPublic S3bucket withsensitivedata“It works onmy machine”response tosecurityconcernsMissingsecurityheaders(CSP, HSTS,etc.)Mergingcode withcriticalsecurityissuesDeveloperssharingpasswordsviaSlack/emailNo loggingor monitoringfor securityeventsUsingeval() inproductioncodeLoggingsensitivedata inplaintextDefaultpasswordsstill in useUnpatchedcriticalvulnerabilityin productionOutdateddependencywith knownCVEsIgnoringsecuritywarnings independencyscansNo inputvalidationon userinputLack ofRBAC(everyone isan admin)SQL querywithoutparameterizedinputsDisabledMFA onan adminaccountAPI keyexposedin a publicrepositoryUnencrypteddatabasestorage forPIINo securitytesting inCI/CDpipelineHardcodedcredentialsin sourcecodeLack ofratelimiting onAPIsExposingsensitiveenvironmentvariables inlogs"We don’thave timefor security"excuseOpen sourcelibrarywithout asecurityreviewPublic S3bucket withsensitivedata“It works onmy machine”response tosecurityconcerns

Software Engineering COP Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
  1. Missing security headers (CSP, HSTS, etc.)
  2. Merging code with critical security issues
  3. Developers sharing passwords via Slack/email
  4. No logging or monitoring for security events
  5. Using eval() in production code
  6. Logging sensitive data in plaintext
  7. Default passwords still in use
  8. Unpatched critical vulnerability in production
  9. Outdated dependency with known CVEs
  10. Ignoring security warnings in dependency scans
  11. No input validation on user input
  12. Lack of RBAC (everyone is an admin)
  13. SQL query without parameterized inputs
  14. Disabled MFA on an admin account
  15. API key exposed in a public repository
  16. Unencrypted database storage for PII
  17. No security testing in CI/CD pipeline
  18. Hardcoded credentials in source code
  19. Lack of rate limiting on APIs
  20. Exposing sensitive environment variables in logs
  21. "We don’t have time for security" excuse
  22. Open source library without a security review
  23. Public S3 bucket with sensitive data
  24. “It works on my machine” response to security concerns