Deployment mistakes vs attackers smile

As developers we spend most of our time trying to write secure code for our applications because we believe that will keep malicious attackers from attacking our systems or reducing attacking surface. We spend enough time time to write tests, input validation, proper authentication and authorization e.t.c .

Then comes a moment of shipping, bringing our work accessible to public then "boom" , some malicious attacker gain access to the system not even through our code but through deployment mistakes that we overlooked and focused only to write secure code. Don't quote or understand me wrong, writing secure business logic code is very important and crucial but lets just not forget other attack surfaces. Devs leaving debug mode to true, exposing endpoints which are meant for internal use only, leaving database to be accessible over the internet and many more network configurations, containers e.t.c. I think that's why there are some bruteforcing wordlists named "Stupid ones in production" . Actually, we are human beings and tend to forget.

I have been doing some research for some time and this one time I met a site that left their database accessible over the internet even though developers thought it was secured, it is critical risk and I can not say more than that!