Insecure Defaults Detection

Systematic detection of security misconfigurations where the default behavior is insecure. These are the bugs that ship because "it worked in development."

Detection Categories

1. Fail-Open Configurations

Code that defaults to allowing access when a security check fails.

// BAD: Fail-open -- if auth service is down, everyone gets in
async function checkAuth(token: string): Promise<boolean> {
  try {
    return await authService.verify(token)
  } catch {
    return true  // INSECURE: fails open
  }
}