DEV Community

Cover image for What Are Some of the Worst Security Practices You’ve Ever Seen in Software Development? staff for The DEV Team

Posted on with Erin A Olinick

What Are Some of the Worst Security Practices You’ve Ever Seen in Software Development?

Was it a cringe-worthy password on a post-it note, a poorly secured database, or a misconfigured server? 😢 What are some of the biggest security mistakes you've seen in your career? And don't forget to share your tips on how to avoid these mistakes!

Join the conversation and follow the DEV Team for more thought-provoking discussions!

Image by pch.vector on Freepik.

Top comments (13)

bradtaniguchi profile image

Direct usage of eval used on end user input to perform basic math, from within nodejs.

Not only did this mean allowing users to perform "remote code execution", but to even get eval required bypassing codebase checks.

The worst part was this was being performed by a "senior" developer and part of an app that would rely heavily on end user input. They got demoted from the project soon after and we removed the offending code.

kalkwst profile image
Kostas Kalafatis

A production, internet facing database, with credentials "admin" 12345 🥲

pcjmfranken profile image
Peter Franken

The very recent oopsie whoopsie by Google has got to be one of the very worst ever:

Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.


Google has since announced that they have plans to offer proper encryption "down the line" 🤠


mistval profile image

Wow, welp, I was interested in using this feature but if it's not encrypted on-device with my own keys, then no thanks, I'll just continue keeping a pile of recovery codes in my safe deposit box.

san5431 profile image
Gary Lee • Edited

Once worked on a CMS project. Some content are sensitive so there was a requirement to perform IP checking to make sure users can only access those sensitive content inside the office.
A senior guy implemented this requirement in this way: When the user's IP is not inside the office, add a display: none css style to the content.

aarone4 profile image
Aaron Reese

Order tracking website where the user account was a URL parameter with no password/token. You could see order details for any and all of their customers including delivery address and what was in the order.

dhanushnehru profile image
Dhanush N
  • Making the security of database accessible to all the services instead of only the services needing database access.
  • Making the website vulnerable to clickjacking , and cross forgery attack etc

And a lot more, if I have to say I can keep on saying as I have read and seen a lot

jcubic profile image
Jakub T. Jankiewicz

I once was fixing PHP site where there was a login page but other php pages did not check if user was logged, and "hidden" pages were trivial to guess. The site was created by some high schooler and other not related high schoolers (probbaly) was messing with the site without the admin password or a need to login. The owner said that the images that he upload was disappearing, it was funny actally to see why by looking at the code.

alohci profile image
Nicholas Stimpson

Not actually software development, but back in the last millennium I was once inducted into a company IT team where the network administration password was a four letter dictionary word.

shahab96 profile image
Shahab Dogar

I've seen database credentials passed into clients as variables with the actual secret values in comments next to them.

aarone4 profile image
Aaron Reese

VBA code running a direct SQL query using the sa user account (and unencrypted password)for the connection.

cloutierjo profile image
cloutierjo • Edited

An sso protected web site where you could bypass the sso by adding 'username=any user' in the url

yn profile image

Access control on client side, not server side, in in-house application. Could be bypassed by loading binary and calling client proxy functions directly.