I (the author) am native Spanish speaker (Costa Rica) so thanks for your patience reading the article :)

How about using a hardening guide such as CIS as part of the build process?

Although it is easier to see the benefits of using JSON as an interchange format because it is lightweight, I still believe that XML is more elegant and verbose than JSON. One of the complains for JSON has been the lack of schemas, although there are some ways around that in projects such as Apache Avro https://avro.apache.org/, registry schemas and all that Jazz

I do not see Powershell in there either, and we are aware of the exponential growth of the language for writing malware.

OWASP Open Security Summit is happening this week.

I didn't know that in the 90's Google Analytics ever exists!.

That's actually, IMHO, a good asset that comes out of a good test and code coverage. I would be worried if after adding new piece of code or modifying an existing code if there is not a test that tells me that something is broken due my code.

Here is where testing becomes very helpful.

The author does not cover any question related to application security. Things like is this parameter/input value properly sanitized, does this piece is/is not vulnerable to injection attacks, does this piece of code performs authentication/authorization checks? Is RBAC properly implemented for this method?

I agree with some cases, but "is this parameter/input value properly sanitized" is a bit weird. It should only every apply to a) the db framework, b) those N really weird cases that have to break the abstraction and don't use the db framework. If you have to test every input, then the problem is on a completely different level than missing a test.

Kind of, if you have a centralized place to perform input data validation, as it should, then it is just a matter to test that piece of code same if you are using a framework. However, I don't understand why you refer to a db in the first place? Is it because I used the injection attack as an example? if that's the case bare in mind that Injection target other interprets as well not only a db.

But getting back to my original idea, what I want to highlight the need of adding cases to cover application security.

Yeah, my mind substituted parameter with query parameter. Too much database stuff at my $dayjob recently and I get tunnel vision ;-)

lol! thanks for your comments.

When I saw "CSP" I thought of Content Security Policy instead https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Me too.

Interesting article. I live in Costa Rica in the country side in the mountain and we are experiencing the same issue here. Back in the date, there were really big grasshoppers and all kind of colorful bugs. Now they no longer exists. I tried to blame the bad agricultural practices the do a heavy usage of pesticides.