Missingsecurityheaders(CSP, HSTS,etc.)Exposingsensitiveenvironmentvariables inlogsNo securitytesting inCI/CDpipelineUnencrypteddatabasestorage forPIIDeveloperssharingpasswordsviaSlack/emailIgnoringsecuritywarnings independencyscans“It works onmy machine”response tosecurityconcernsHardcodedcredentialsin sourcecodeSQL querywithoutparameterizedinputsAPI keyexposedin a publicrepositoryNo loggingor monitoringfor securityeventsUnpatchedcriticalvulnerabilityin productionLack ofratelimiting onAPIsUsingeval() inproductioncodeLoggingsensitivedata inplaintextDisabledMFA onan adminaccountDefaultpasswordsstill in useOpen sourcelibrarywithout asecurityreviewLack ofRBAC(everyone isan admin)Outdateddependencywith knownCVEs"We don’thave timefor security"excuseMergingcode withcriticalsecurityissuesPublic S3bucket withsensitivedataNo inputvalidationon userinputMissingsecurityheaders(CSP, HSTS,etc.)Exposingsensitiveenvironmentvariables inlogsNo securitytesting inCI/CDpipelineUnencrypteddatabasestorage forPIIDeveloperssharingpasswordsviaSlack/emailIgnoringsecuritywarnings independencyscans“It works onmy machine”response tosecurityconcernsHardcodedcredentialsin sourcecodeSQL querywithoutparameterizedinputsAPI keyexposedin a publicrepositoryNo loggingor monitoringfor securityeventsUnpatchedcriticalvulnerabilityin productionLack ofratelimiting onAPIsUsingeval() inproductioncodeLoggingsensitivedata inplaintextDisabledMFA onan adminaccountDefaultpasswordsstill in useOpen sourcelibrarywithout asecurityreviewLack ofRBAC(everyone isan admin)Outdateddependencywith knownCVEs"We don’thave timefor security"excuseMergingcode withcriticalsecurityissuesPublic S3bucket withsensitivedataNo inputvalidationon userinput

Software Engineering COP Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
  1. Missing security headers (CSP, HSTS, etc.)
  2. Exposing sensitive environment variables in logs
  3. No security testing in CI/CD pipeline
  4. Unencrypted database storage for PII
  5. Developers sharing passwords via Slack/email
  6. Ignoring security warnings in dependency scans
  7. “It works on my machine” response to security concerns
  8. Hardcoded credentials in source code
  9. SQL query without parameterized inputs
  10. API key exposed in a public repository
  11. No logging or monitoring for security events
  12. Unpatched critical vulnerability in production
  13. Lack of rate limiting on APIs
  14. Using eval() in production code
  15. Logging sensitive data in plaintext
  16. Disabled MFA on an admin account
  17. Default passwords still in use
  18. Open source library without a security review
  19. Lack of RBAC (everyone is an admin)
  20. Outdated dependency with known CVEs
  21. "We don’t have time for security" excuse
  22. Merging code with critical security issues
  23. Public S3 bucket with sensitive data
  24. No input validation on user input