https://www.secdev.uk/blog/tags/cwe-798/ Recent content in CWE-798 on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 17 Jan 2026 00:00:00 +0000 https://www.secdev.uk/blog/technology/2026-01-17-secrets-in-source-code/ Sat, 17 Jan 2026 00:00:00 +0000 https://www.secdev.uk/blog/technology/2026-01-17-secrets-in-source-code/ <p>Hardcoded credentials are one of the most common and most preventable vulnerability classes out there. API keys, database passwords, encryption keys, and service tokens embedded directly in source code end up in version control, build artifacts, container images, and log files. Once a secret reaches a Git repository, it persists in the history even after the offending line is deleted. When I started researching how often this happens in practice, the numbers were staggering, public reports of leaked credentials on GitHub alone run into the millions per year. In this post I&rsquo;ll cover the patterns that lead to hardcoded secrets, the tools that detect them, and the architecture changes that eliminate them for good.</p> https://www.secdev.uk/blog/technology/2025-04-26-authentication-failures/ Sat, 26 Apr 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-04-26-authentication-failures/ <p>Authentication is the front door of every application, and OWASP A07 documents how often that door is left unlocked. When I started digging into authentication failures, I realised they go far beyond weak passwords, they encompass hardcoded credentials compiled into binaries, brute-force attacks with no rate limiting, password hashes that can be reversed in seconds, and reset flows that hand tokens directly to attackers. These patterns show up in production regularly, sometimes in the same application. This post covers three CWEs across Python, Java, Go, and Rust: CWE-798 (Use of Hard-Coded Credentials), CWE-287 (Improper Authentication), and CWE-307 (Improper Restriction of Excessive Authentication Attempts).</p>