Most breaches don’t need a clever exploit — just a default password, an exposed panel, a leaked secret, or an outdated library. Close the easy doors and patch your dependencies.
Why: a huge share of breaches come from configuration, not code — default credentials, debug mode on in production, verbose errors, exposed admin panels, and open cloud storage — because these are easy to leave and easy to find. When: harden every environment to a known baseline and remove defaults before going live. Where: attackers scan the internet for these constantly, so misconfig is found fast.
Common misconfigurations attackers look for:
[ ] default / weak admin credentials still enabled
[ ] debug mode or stack traces exposed in production
[ ] directory listing on, .git/ or .env reachable over HTTP
[ ] admin panels / actuator / metrics exposed to the internet
[ ] public cloud buckets, over-permissive CORS
[ ] missing security headers (HSTS, CSP, X-Content-Type-Options)
Harden to a baseline (CIS benchmarks); see the System Hardening course.Why: apps are mostly third-party dependencies, and a known CVE in one of them (think Log4Shell) is an exploit attackers already have — so unpatched components are a leading breach cause. When: continuously scan dependencies and update them; you cannot patch what you have not inventoried. Where: automate this in CI so a vulnerable library fails the build.
# Scan your dependencies for known CVEs (run in CI, fail on high severity):
npm audit --audit-level=high # Node.js
pip-audit # Python
# Also: Trivy/Grype for container images, Dependabot/Renovate for auto-PRs.
# Keep an inventory (SBOM) so when the next Log4Shell drops, you know in
# minutes whether you're affected — not days.Why: secrets in code, unencrypted data, and over-shared information hand attackers the keys — API keys committed to git, PII in logs, or data sent over plain HTTP. When: keep secrets out of code (use a secrets manager), encrypt data in transit (TLS) and at rest, and scrub sensitive fields from logs. Where: a leaked secret in git history is exploited within minutes of being pushed.
# Catch secrets BEFORE they're committed (pre-commit hook + CI):
gitleaks detect --source . # scans for keys, tokens, passwords
trufflehog git file://. # deep secret scanning incl. history
# Rules: secrets in a manager (Vault/cloud), not code; TLS everywhere;
# strip PII/tokens from logs; rotate any secret the moment it's exposed.