⪼ Made with 💜 by Polyglot.
- Logging passwords/confidential information.
- Committing and hardcoding passwords/confidential information into source control.
- Sharing passwords through Teams/Slack/Confluence instead of a shared password manager.
- Not locking down your API by user based roles and access needs.
- Your API can be gamified and a user can get information on another user that they shouldn't be able to.
- Not removing users once they have left the business.
After working in multiple companies, I can say I've seen every single one of these at least once throughout my career, and I make a conscious effort to avoid them.
Things that help alleviate this:
- Using a tool like Sonarqube that will monitor and notify you on any security vulnerabilities and credential leaks.
- Using git filter-repo to allow you to remove files with sensitive data from git.
- Using a shared password manager such as Azure Key Vault to easily rotate and share keys and secrets.
- Using a third party identity management solution like Microsoft Entra to handle roles/access to resources.
- Auditing and alerting of user actions throughout your application for malicious activity using something like Microsoft Sentinel.