7 Security Mistakes Others Made So You (Probably) Shouldn’t

No matter the level of security knowledge you possess, there are a few simple actions that will immediately improve your software security. These are low-hanging security fruit that still isn’t picked up by many companies. Explore the common security mistakes others have made and learn valuable lessons from them.

Mistake #1: Not verifying login credentials

Equifax, the credit reporting company, used the generic username and password "admin" for a non-US database, specifically on its website in Argentina. Researchers at Hold Security, a cybersecurity firm, discovered this security flaw and were able to access personal employee information, including names, emails, and Social Security equivalents of over 100 individuals.

Lesson learned

Ensure that all admin accounts don’t have default login credentials or easy-to-break credentials such as login: admin, password: admin.

Mistake #2: Keeping sensitive data in code

The St. Louis Post-Dispatch reporter discovered that the Social Security numbers of Missouri teachers were embedded in the HTML source code of a website run by the state education department. The newspaper informed the state about the issue. However, the Governor of Missouri wasn’t very grateful about it calling the newspaper's actions hacking…

Lesson learned

Check out if test credentials or sensitive data arent’s hard coded in the frontend code comments.

Mistake #3: Easy-breaking CI/CD credentials

According to the Business Leader, hackers gain access to businesses' servers by exploiting poor security practices, particularly the use of regular or default passwords. Hackers commonly use default credentials, including default Raspberry Pi credentials and credentials used on Linux machines, to gain unauthorized access to servers.

Lesson learned

If you use CI/CD providers and other external tools or dashboards, ensure that any default accounts don’t have easy-breaking credentials.

Mistake #4: Checking in secrets in repositories

Researchers at CloudSek discovered that popular mobile apps are leaking Amazon Web Services (AWS) keys, exposing user data and corporate information. The researchers found that approximately 0.5% of the 8,000 apps they studied contained hardcoded private keys for AWS APIs.

Lesson learned

Verify if any secrets e.g. AWS keys, passwords, etc. aren't checked-in in repositories.

Secret leak detection tools that you can implement right away:

Gitleaks – available for free as secret leaks scanning tool in all Gitlab plans.

TruffleHog – it works as a Chrome extension that shows secret leaks on websites.

GitHub Secret Scanning – secret scanning alerts for GitHub repositories. It’s free on all public repositories.

Mistake #5 Exposed unwanted ports

A confidential and sensitive U.S. government watchlist, known as the no-fly list, was leaked after being left unsecured on an airline server. The list contains names of individuals prohibited from flying due to suspected terrorist ties or other security concerns. An airline employee discovered the unsecured server and reported the breach to the Department of Homeland Security.

Lesson learned

Make sure that the services you use don’t have any unwanted exposed ports.

Tools that scan open ports:

Censys – a free search engine that could be used for Infra reconnaissance.

Shodan – a paid alternative to Censys.

Mistake #6 Taking keys from tutorials

Hyundai's vehicle encryption was successfully cracked granting remote control over car functions. Hyundai used a public-private key pair from a tutorial and placed the public key in its code. A software developer identified a flaw in the encryption algorithm used for the vehicle's communication with its mobile app. Exploiting this vulnerability, unauthorized access was gained to the car's systems, enabling actions like unlocking doors and starting the engine.

Lesson learned

Don’t use public keys from any tutorials.

Mistake #7 Forgetting to withdraw access

A study by Beyond Identity revealed that around 25% of former employees still have access to their past workplace accounts and emails, with over 41% of them admitting to sharing their login credentials.

Lesson learned

Regularly withdraw access to any tools, from ex-employees or people who don’t need them, to reduce the attack surface.

Consider using a Single Sign-On for all your services, for example, Google Sign-in.

What other mistakes you shouldn’t make?

Download our free ebook and get access to the best security practices and tools.