The average breach takes 200 days to detect. Not because the attackers are subtle. Because nobody was looking. A request comes in, something goes wrong, the response is a 500, and the reason for the 500 exists only in the mind of a Node process that already exited.
Security logging and monitoring failures mean an attack can run against your app and leave no trace. Failed logins are not recorded, 500s are not counted, suspicious patterns are not alerted on. Every other bug in this list gets louder when nobody is watching — this is the category that makes the other nine survivable for the attacker.
What your AI actually built
You asked for an app, and the model shipped one. Routes, handlers, database calls, a deploy config. Every path works on the happy case. The errors you tested during development showed up in your terminal just fine.
What it didn't ship was a place for errors to go in production. console.log writes to a container log that rotates after a day. There is no structured logger, no error tracker, no audit trail of who did what. When something breaks, you hear about it from a user on Twitter.
Security events get the worst of this. Failed logins, access denials, suspicious payloads — the things you most want to know about — are the exact things the app silently swallows, because 'swallow the error and return 401' is the idiomatic tutorial pattern.
How it gets exploited
An attacker found a BOLA bug on /api/orders/:id last Tuesday. They are patient.