AUDIT

Sure — below is a **compressed, structured master list** of the **most common software engineering pitfalls**, kept **under 4,000 characters**, in clear English. Think of this as a **universal bug & failure taxonomy**.

---

## Common Software Engineering Pitfalls (Master List)

### 1) Requirements & Product

* Vague or unmeasurable requirements
* Missing edge cases (empty, max, null, concurrency)
* Scope creep without control
* Wrong prioritization of features
* No clear “definition of done”
* UX flows not aligned with real user behavior

### 2) Architecture & Design

* God objects / spaghetti code
* Poor module boundaries
* Overengineering or premature abstraction
* Tight coupling between components
* Single points of failure
* No backward compatibility strategy
* Synchronous chains instead of async workflows

### 3) Core Logic & Code

* Off-by-one errors
* Incorrect assumptions (“this will never be null”)
* Type conversion and precision issues
* State inconsistency
* Magic numbers / strings
* Incorrect equality or ordering logic

### 4) Algorithms & Data Structures

* Inefficient Big-O choices
* Wrong data structure (list vs map/set)
* Excessive copying of large objects
* Overflow / underflow
* Rounding errors (especially money)

### 5) Database & ORM

* **N+1 queries**
* Missing or wrong indexes
* SELECT * overfetching
* Missing transactions
* Wrong isolation level
* Deadlocks and lock contention
* Pagination with OFFSET on large tables
* Broken migrations
* Soft-delete filtering mistakes
* Timezone errors

### 6) Caching & Consistency

* Stale cache
* Cache invalidation errors
* Cache stampede
* Hot keys
* Wrong TTLs
* Cache/DB inconsistency

### 7) Concurrency

* Race conditions
* Lost updates
* Double submits
* Non-atomic operations
* Deadlocks, livelocks, starvation

### 8) Distributed Systems

* No timeouts
* Retry storms
* Missing idempotency
* Event duplication or reordering
* Clock skew
* Broken distributed locks
* No compensation (Saga failures)

### 9) APIs & Integrations

* Incorrect HTTP status codes
* Inconsistent error formats
* Missing validation
* Breaking changes without versioning
* No rate limiting
* Webhooks without signature verification

### 10) Security

* SQL / NoSQL injection
* XSS
* CSRF
* IDOR (authorization bypass)
* SSRF
* Weak password handling
* Secrets in code or logs
* Overly permissive CORS
* Missing rate limits

### 11) Frontend / Mobile

* UI state desynchronization
* Multiple submits
* Infinite render loops
* Memory leaks
* Poor performance on large lists
* Missing offline/error UX
* Localization & RTL issues
* Accessibility gaps

### 12) Networking

* Incorrect timeout values
* Connection leaks
* Bad retry strategies (no backoff)
* Proxy / load balancer header issues

### 13) Performance

* No profiling
* Blocking I/O
* Oversized payloads
* Memory bloat
* Thundering herd problems

### 14) Testing

* Only unit tests, no integration
* Flaky tests
* Shared test state
* Excessive mocking
* No E2E coverage

### 15) DevOps & Release

* Environment drift
* Secrets mismanagement
* No rollback strategy
* Bad migration ordering
* Missing observability
* Alert fatigue

### 16) Logging & Monitoring

* Swallowed exceptions
* Logging sensitive data
* Missing correlation IDs
* No metrics or tracing

### 17) Data Privacy & Compliance

* Excessive data collection
* No retention policy
* No audit logs
* Unencrypted data at rest or transit

### 18) Payments & Billing

* Missing idempotency
* Unverified payment webhooks
* Entitlement cache errors
* Incorrect proration/refunds

---

If you want, I can turn this into:

* a **one-page engineering checklist**,
* a **pre-production audit template**, or
* a **stack-specific version** (backend, mobile, SaaS, fintech, AI apps).

Just say the word 👌