A 'security smell' is an indication that something's wrong in a system that you're using from a security perspective. The are worse than code smells, because sniffing a security smell very likely means that something's actually wrong, rather than 'could be better'. Security smells are things you notice just by using the system, not by actively trying to find them, or from looking at code.
Security smells I've thought of so far:
- 'Forgotten password' emails you your actual password. That means it's not hashed in the backend storage. That's bad.
- System error messages. Oops
- Careless information leaking. For example, I sign up to a demo and see the names/emails/whatever of others that have done so.
- Broken character sets/encoding. A special character comes back mangled.