OWASP Top 10 #5: Security Misconfiguration
Recently, the Open Web Application Security Project (OWASP) announced an update of their “Ten Most Critical Web Application Security Risks.” OWASP is a nonprofit organization devoted to helping create a more secure internet and the list is considered an important benchmark. (The new 2017 list is currently in the comments phase.)
This is one of a series of articles exploring each point on OWASP’s list and what can be done to mitigate their dangers. Holding steady at Number 5 from the 2013 list is “Security Misconfiguration.”
Many Layers, Opportunities for Hackers
Security misconfiguration is one of the easiest targets for hackers because it’s so commonplace. This type of vulnerability includes weak or default passwords, out-of-date software, unnecessary features that are enabled, and unprotected files or databases.
Hackers target a website and then attempt to exploit weaknesses in a variety of ways, including brute-force password attacks, using stack traces that return full error messages, and accessing insecure sample apps that are unused but enabled.
Misconfiguration can happen up and down the stack, from the software platform to the web including the application servers, databases, frameworks, and custom code layered on top. If just one of these is misconfigured, it creates an opportunity for an “in,” which can lead to a slow takeover or a wider breach.
Prevention Begins with Assessment
OWASP recommends starting with a thorough audit of the entire IT environment, highlighting such issues as software that needs updates or patches, default accounts that still have their original passwords, and security settings in frameworks and applications that are not set to secure values.
OWASP urges businesses to create a highly robust environment from the ground up, including creating a strong infrastructure that has all its components separate and secure. Developers and system administrators must work hand in hand to ensure that everything is configured correctly.
Additionally, automatic configuration of staging, development, and production environments is suggested as a way of making compliance easy. Software or firmware updates and patches should be deployed simultaneously; scans and audits conducted periodically.
“Without a concerted, repeatable application security configuration process, systems are at a higher risk,” OWASP states on their website.
Awareness Is Crucial
Creating a secure system that is configured correctly involves making sure everyone involved understands both the need for security and as the protocols involved in creating and maintaining it.
To assist with this mission, InfoSec Institute has created SecurityIQ, a comprehensive suite of educational modules. It includes AwareED, a configurable course on security that can be administered remotely to entire departments or organizations.
SecurityIQ contains videos and interactive materials for every point on OWASP’s list, including security misconfiguration. It’s easy to enroll your entire company in a course or series of courses via email signup. From the dashboard, you can monitor everyone’s progress.
To learn more and get a 30-day trial of our premium services, visit SecurityIQ today!