What’s your “don’t forget to check the power cord” advice?

Mine is don’t forget to check authentication flows in depth.

Bugs in Mfa, password reset, oauth integration, and “signature check” flows are hot spots.

If a program is using cryptographic primitives, this often leads to vulnerabilities.