Owasp Top 10:A6: Security Misconfigurations (Impact & Mitigation)
What does mean by Security Misconfigurations ?
Security Misconfigurations arises when maintaining security settings are the default, Security misconfigurations can happen at any level of an application stack, including the platform, web server, application server, database, framework, and custom code.
Security misconfigurations vulnerabilities could occur if a component is vulnerable to attack due to an insecure configuration option. These vulnerabilities occur because of the insecure default configuration, poorly documented default configuration, or poorly documented side-effects of optional configuration. This could be failing to set a useful security header on a web server, to forgetting to disable default platform functionality which may grant administrative access to an attacker.
Business Impact of Security Misconfigurations
The system could be completely compromised without knowing it. All your data can be stolen or modified slowly over time.
Technical Impact of Security Misconfigurations
It usually gives attackers access to data you do not want to disclose or access to unauthorized features. It can also result in a whole system compromise, letting the attacker do whatever they want on your system (stealing the database, changing business processing rules, installing worms, shutting down your website or deleting it)
Mitigation for Security Misconfigurations
- Reduce the surface of the vulnerability with a repeatable process
- Keep the software up to date
- Disable all the default credentials and change passwords regularly
- Develop strong architecture and encrypt data that has sensitive information.
- Make sure that the security settings in the libraries and frameworks are set to secured values.
- Perform audits and run tools to identify the holes in the whole system
- Use the same configuration for production, development, and staging as inconsistencies open the gate for many misconfigurations.
- Automate the system wherever possible to avoid human errors.