Security Misconfiguration is ranked 6th in the current OWASP Top Ten 2017 – Most Critical Web Application Security Risks ( owasp top 10 ).This vulnerability occurs when any component of your web application has “holes” due to an insecure configuration option. It is worth to mention that Security Misconfiguration is one of the widespread vulnerabilities in Web applications and it is often an easy target for attackers. It includes default passwords, out-of-date software and enabled features that aren’t necessary etc.
Most Popular Security Misconfigurations
Security Misconfiguration can occur anywhere on your application. When we say application, we mean all the applications required by your company(for example, spreadsheet and database management packages). Communication programs (for example, email) also are included in your application stack.
Here are a few common security misconfigurations:
1) You set system credentials (user accounts, passwords) to default. As a result, the attacker discovers the admin pages, logs in with default passwords(for example, admin).
2) Directory and file listings are not disabled, so they can be accessed through search engines.
3) Pages returned to users with error messages have sensitive data in them( Insecure Error Handling-affiliate link to our article on sensitive data: insecure error handling ). Attackers can use that extra information provided by the error message.
4) The software is not up-to-date, so is more vulnerable to attacks.
It is also worth to mention that your system is multi-layered. Even if just one of those layers isn’t secured, your system can be infiltrated and data can be compromised or stolen. So it is important that you securely configure all layers.
We recommend you to start with an audit of the IT environment. After scanning developers work to fix them. Also, it is very important not to forget that even if you can’t discover immediate issues, there are can be some security misconfigurations. OWASP also recommends creating a highly robust environment and a strong infrastructure which has all its components separate and secure. Another thing OWASP highly recommend is automatic configuration of staging and production environments . In addition, you should deply software updates simultaneously. Finally, the last recommendation is to have regular scans and audits.
To sum up, ways of preventing security misconfiguration are:
1) You should configure all environments( development and production environments) identically.
2) a strong application architecture that provides secure separation between components is essential.
3) Periodic scans and doing audits are important to reduce risk.