2021 OWASP Top Ten: Security Misconfiguration

Share on:

📚 Main Topics

Definition of Security Misconfiguration
- Security misconfiguration occurs when security components within an application are not configured correctly, such as using default passwords or failing to enable security features.
Prevalence of the Issue
- Security misconfiguration has moved up to the fifth position in the OWASP Top 10, with 90% of tested applications exhibiting some form of this vulnerability, totaling over 200,000 occurrences.
Common Vulnerabilities
- Unnecessary features enabled or installed.
- Default accounts and passwords unchanged.
- Latest security features disabled after software upgrades.
- Lack of security headers or directives.
- Outdated or vulnerable software.
Scenarios Illustrating Misconfiguration
- Example of a sample application with known vulnerabilities left on a server.
- Error messages revealing too much information, potentially aiding attackers.
Mitigation Strategies
- Follow hardening guides for each framework.
- Use tools like Mozilla's SSL config generator for secure TLS settings.
- Implement a repeatable hardening process for new environments.
- Maintain a minimal platform by removing unnecessary features.
- Send security directives to clients (e.g., HTTP Strict Transport Security).
- Automate verification of configurations and settings.

Security misconfiguration is a significant risk that can lead to vulnerabilities in applications.
Regularly review and update configurations to ensure security measures are in place.
Implementing a structured approach to security can help mitigate risks associated with misconfiguration.

Always change default settings and passwords during application setup.
Be cautious with error messages; they should not disclose sensitive information.
Continuous monitoring and automation can help maintain secure configurations across environments.
Security is an ongoing process that requires diligence and attention to detail to prevent exploitation by attackers.