Sec-Context

Anti-Pattern Examples

Real security vulnerabilities AI commonly generates, with secure alternatives.

Hardcoded Secrets

CWE-798

// PSEUDOCODE

// BAD: Hardcoded API keys
CONSTANT API_KEY = "sk-abcd1234efgh5678"
CONSTANT DB_PASSWORD = "super_secret_password"

FUNCTION call_api(endpoint):
    headers = {"Authorization": "Bearer " + API_KEY}
    RETURN http.get(endpoint, headers)

// GOOD: Environment variables
FUNCTION call_api(endpoint):
    api_key = environment.get("API_KEY")
    IF api_key IS NULL:
        THROW Error("API_KEY required")
    headers = {"Authorization": "Bearer " + api_key}
    RETURN http.get(endpoint, headers)

SQL Injection

CWE-89

// PSEUDOCODE

// BAD: String concatenation
FUNCTION get_user(user_id):
    query = "SELECT * FROM users WHERE id = " + user_id
    RETURN database.execute(query)

// Attacker input: "1 OR 1=1 --"
// Result: Returns ALL users!

// GOOD: Parameterized queries
FUNCTION get_user(user_id):
    query = "SELECT * FROM users WHERE id = ?"
    RETURN database.execute(query, [user_id])

Cross-Site Scripting (XSS)

CWE-79

// PSEUDOCODE

// BAD: Direct HTML injection (86% AI failure rate!)
FUNCTION display_comment(comment):
    element.innerHTML = comment

// Attacker input: "<script>steal(cookies)</script>"

// GOOD: Encode output for context
FUNCTION display_comment(comment):
    element.textContent = comment
    // Or use HTML encoding function
    element.innerHTML = html_encode(comment)

Command Injection

CWE-78

// PSEUDOCODE

// BAD: Shell command with user input
FUNCTION ping_host(hostname):
    command = "ping -c 4 " + hostname
    RETURN shell.execute(command)

// Attacker input: "google.com; rm -rf /"

// GOOD: Use argument arrays, avoid shell
FUNCTION ping_host(hostname):
    IF NOT is_valid_hostname(hostname):
        THROW Error("Invalid hostname")
    RETURN process.spawn("ping", ["-c", "4", hostname])

Weak Password Storage

CWE-327

// PSEUDOCODE

// BAD: Plaintext or weak hashing
FUNCTION save_password(password):
    database.insert({password: password})  // Plaintext!
    database.insert({password: md5(password)})  // Weak!
    database.insert({password: sha256(password)})  // No salt!

// GOOD: bcrypt/argon2 with proper cost
FUNCTION save_password(password):
    hashed = bcrypt.hash(password, cost=12)
    database.insert({password_hash: hashed})

Top 10 Anti-Patterns

Ranked by Priority Score = (Frequency x 2) + (Severity x 2) + Detectability

Dependency Risks (Slopsquatting)

5-21% of AI packages don't exist

XSS Vulnerabilities

86% failure rate in AI code

Hardcoded Secrets

Scraped within minutes of exposure

SQL Injection

Thousands of instances in training data

Authentication Failures

75.8% false confidence in AI auth

Missing Input Validation

Root cause of all injection attacks

Command Injection

CVE-2025-53773 real-world RCE

Missing Rate Limiting

Very high frequency, easy to detect

Excessive Data Exposure

APIs return full objects

#10

Unrestricted File Upload

Critical severity, enables RCE

Research Sources

Synthesized from 150+ individual sources across 6 primary categories.

🗃

CVE Databases

NVD, MITRE CWE, Wiz - 40+ CVEs including IDEsaster collection

📚

Academic Research

Stanford, ACM, arXiv, IEEE, USENIX - Empirical vulnerability studies

📝

Security Blogs

Dark Reading, Veracode, Snyk, Checkmarx, OWASP

💬

Developer Forums

HackerNews (17+ threads), Reddit (6 subreddits)

🐦

Social Media

Twitter/X security researchers - Real-time incidents

🐙

GitHub

Security advisories, academic studies, code analysis

Anti-Pattern Examples

Hardcoded Secrets

SQL Injection

Cross-Site Scripting (XSS)

Command Injection

Weak Password Storage

The Security Problem is Real

Top 10 Anti-Patterns

Recommended Architecture

AI Code Gen

Sec-Context Agent

Secure Code

Research Sources

CVE Databases

Academic Research

Security Blogs

Developer Forums

Social Media

GitHub

The Files

ANTI_PATTERNS_BREADTH.md

ANTI_PATTERNS_DEPTH.md