Security: Consider CWE and CAPEC

One security habit that improved my engineering decisions: before shipping a feature, I quickly check related CWE and CAPEC entries.

I do not treat them as theory. I use them as practical lists of weakness classes and attack patterns that can happen in real systems.

Three useful examples:

Suppose your pagination API accepts an items_limit parameter directly from the client.

If an attacker sends items_limit=999999999999, your service can start doing expensive work that should never happen:

This is not just a “performance bug.” It’s a vulnerability that allows the attackers to take down your systems anytime they want.

Enforce strict upper bounds for pagination (min/max on input).
Apply sane defaults when clients omit or abuse limits.
Add request-level safeguards (timeouts, rate limits, and query guards).
Add monitoring for unusual request shapes (for example, repeated high-limit calls).

A client can also send a JSON payload that is big enough (even 5MB) to block request-processing threads.

A dozen such malicious requests can effectively halt backend request processing by consuming CPU and memory during parsing and serialization work.

Enforce maximum JSON payload size (separate from file upload limits).
Prefer enforcing payload limits at the edge or load balancer, before the app parses JSON.
If edge enforcement is not possible, enforce it in application middleware before JSON serialization/parsing as a last resort.

Security reviews become much better when we map features to known weakness classes and attack patterns early.

A quick CWE/CAPEC check (with the big help of GPT) can expose problems before they become incidents.