CyberSecCord

No shades to developers, but a lot of them genuinely don’t realize they need to factor in security best practices during development. A few years back, I was contracted to perform a penetration test for a bank. They were under pressure to release a their new application immediately, management had ordered a go-live, and they had less than 48 hours or so before meeting the Change Advisory Board (CAB). Normally, before I start testing any application, I interact with all the functionalities, from registration to the last user flow, just to understand the system before I start analyzing each request and response in burp. After exploring the app, I opened my HTTP history & began reviewing the requests. I checked the first, second, & third endpoints after login, & I mumbled to myself: “Wait… what’s going on here? Where’s the Authorization header? Are they using a different type of header or what?” Shockingly, all thirty-something API endpoints after login had no authorization header whatsoever. Meaning: any random person on the internet could call something like /dashboard/users and get a 200 OK response filled with sensitive data. You could view, modify, or delete data freely, zero authorization checks. I reported it immediately. They added me to a call, I shared my screen, and walked them through the issue. The backend developer went silent for a moment… then turned to the PM and said: “Why are you just telling me this now? Why didn’t you inform me from the start that it was a requirement?” I swear to God I couldn’t believe my ears. I was so pissed, I unmuted and said: “Even if the PM didn’t give you any ‘security requirement,’ shouldn’t you already know that you’re supposed to authenticate first and authorize every subsequent API call?” He later apologized, explaining that he hadn’t slept for three days trying to meet the release deadline. He promised to fix it immediately. Many developers still treat security like a thing that needs to be handed to them before they take it seriously.