The default settings of some libraries and tools are so useless, or even dangerous, that they should never be used. While they give the impression of being easy to use or performant, they actually represent traps for the unwary user. I look at some examples, consider the reasons why these bad defaults might have arisen, and offer some guidelines for setting up projects with good defaults.
Links and resources:
CKAN: https://github.com/ckan/ckan/pull/2164
MongoDB security: https://blog.shodan.io/its-the-data-stupid/, https://www.mongodb.com/blog/post/update-how-to-avoid-a-malicious-attack-that-ransoms-your-data
Elasticsearch: http://bouk.co/blog/elasticsearch-rce/
PEP 476: http://legacy.python.org/dev/peps/pep-0476/
YAML
Tom Eastman's Serialization talk: http://s3.eastman.net.nz/serialization/, https://www.youtube.com/watch?v=kjZHjvrAS74
PyYAML issue: https://github.com/yaml/pyyaml/issues/5
MongoDB durability: https://docs.mongodb.com/manual/release-notes/2.6-compatibility/#write-method-acknowledgements
Misconfigured Django apps: https://securityaffairs.co/wordpress/70869/hacking/django-apps-misconfigured.html
Li and Evans, Insecure by Default?: https://www.cs.virginia.edu/~evans/pubs/webframeworks2016/insecurebydefault.pdf
The Zen of Python: https://www.python.org/dev/peps/pep-0020/