It's sad some weeks to see reports of security issues at large companies. It's also discouraging some times when clients or friends will talk about security issues they've had in their organization. What's mostly disappointing is how easy many of these issues would have been to prevent with a little effort.
Joey D'Antoni made some fun of this with his Data Breach Game. It's a bingo card you can print out and use the next time you hear about an issue. My guess is most of us could win this in about a week with the general state of security in most places. Some of you might win this in a day with inside knowledge.
This is poking a little fun at the poor security practices of many places. There's a wider article about 9 poor security practices you can read, with some notes about what you should be doing instead. When you read it, you'll wonder why hasn't someone just made these simple changes and dramatically improved security? I have asked myself that many times when I've seen some environments.
Ultimately, no one wants bad security, but we (as a group) often make poor choices because we're in a hurry. We can, and should to better. All of the items on this list can be avoided, and should be. Even the complexities of SQL Injection can be fixed with a little code refactoring. No time or that's too hard? You should be building software in a Compliant Database DevOps manner.
I like the list, though I wish ElasticSearch where on there in number 6 with MongoDB. Too many breaches this year from people dropping that server on their network without a password because they need full text searching of data. Don't make that mistake. Always, always, always set a password on data resources. Developer or partner complaints aren't worth the risk of losing data from an unsecured server.