Usingeval() inproductioncodeUnpatchedcriticalvulnerabilityin production"We don’thave timefor security"excuseDeveloperssharingpasswordsviaSlack/emailOutdateddependencywith knownCVEsSQL querywithoutparameterizedinputsExposingsensitiveenvironmentvariables inlogsNo inputvalidationon userinputMissingsecurityheaders(CSP, HSTS,etc.)Lack ofRBAC(everyone isan admin)Defaultpasswordsstill in useDisabledMFA onan adminaccountIgnoringsecuritywarnings independencyscansNo securitytesting inCI/CDpipelineNo loggingor monitoringfor securityeventsOpen sourcelibrarywithout asecurityreview“It works onmy machine”response tosecurityconcernsUnencrypteddatabasestorage forPIILoggingsensitivedata inplaintextHardcodedcredentialsin sourcecodePublic S3bucket withsensitivedataLack ofratelimiting onAPIsAPI keyexposedin a publicrepositoryMergingcode withcriticalsecurityissuesUsingeval() inproductioncodeUnpatchedcriticalvulnerabilityin production"We don’thave timefor security"excuseDeveloperssharingpasswordsviaSlack/emailOutdateddependencywith knownCVEsSQL querywithoutparameterizedinputsExposingsensitiveenvironmentvariables inlogsNo inputvalidationon userinputMissingsecurityheaders(CSP, HSTS,etc.)Lack ofRBAC(everyone isan admin)Defaultpasswordsstill in useDisabledMFA onan adminaccountIgnoringsecuritywarnings independencyscansNo securitytesting inCI/CDpipelineNo loggingor monitoringfor securityeventsOpen sourcelibrarywithout asecurityreview“It works onmy machine”response tosecurityconcernsUnencrypteddatabasestorage forPIILoggingsensitivedata inplaintextHardcodedcredentialsin sourcecodePublic S3bucket withsensitivedataLack ofratelimiting onAPIsAPI keyexposedin a publicrepositoryMergingcode withcriticalsecurityissues

Software Engineering COP Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
  1. Using eval() in production code
  2. Unpatched critical vulnerability in production
  3. "We don’t have time for security" excuse
  4. Developers sharing passwords via Slack/email
  5. Outdated dependency with known CVEs
  6. SQL query without parameterized inputs
  7. Exposing sensitive environment variables in logs
  8. No input validation on user input
  9. Missing security headers (CSP, HSTS, etc.)
  10. Lack of RBAC (everyone is an admin)
  11. Default passwords still in use
  12. Disabled MFA on an admin account
  13. Ignoring security warnings in dependency scans
  14. No security testing in CI/CD pipeline
  15. No logging or monitoring for security events
  16. Open source library without a security review
  17. “It works on my machine” response to security concerns
  18. Unencrypted database storage for PII
  19. Logging sensitive data in plaintext
  20. Hardcoded credentials in source code
  21. Public S3 bucket with sensitive data
  22. Lack of rate limiting on APIs
  23. API key exposed in a public repository
  24. Merging code with critical security issues