OWASP Tot Ten Web Application Vulnerabilities #6: Security Misconfiguration

Security misconfigurations of key application stack components such as the operating system, the web server and the application server are all potential gateways to attacks. Unfortunately for us, most security configuration vulnerabilities are not rocket science — they’re out there for everybody to learn and use (or misuse) them. Security Misconfiguration is also a way for privileged insiders to hide their malicious activity against their firm’s systems. Usually a security misconfiguration will compromise just some part of the system, but don’t be surprised if the hacker completely compromises your entire system through one misconfigured system parameter.

The way to prevent attacks due to misconfigured systems is straightforward: follow well known best practices in system configuration, including doing the following:

1. Keep an inventory of all of your software and keep them up to date by patching them as soon as the patches are available.

2. Disable all unnecessary ports, services, accounts and privileges.

3. Make sure that the security settings in your development framework such as Spring and ASP.NET are well understood by the developers.

4. Make sure that error stacks from applications don’t reveal sensitive information to users.

5. Ideally, you must keep the development, testing, staging and production environments as similarly configured as possible, so you minimize the work involved in setting up a secure production environment.

6. Run periodical security scans and perform through internal audits to ensure that you catch misconfigured systems or systems with missing security patches.

7. Don’t overlook the security of code libraries, as these are just as vulnerable to attacks as system software.

8. Keep a strong separation between components to keep a misconfigured system from compromising the entire enterprise.

Leave a Comment

Your email address will not be published. Required fields are marked *


Contact Us

If you have an urgent question regarding your software licensing or a software audit, please contact Miro right away.

(732)738–8511 x1208
Use the chat box on the right

About Us

Miro is a leading global provider of software asset management services, specializing in license management, audit advisory, negotiation tactics, support management, and cloud services. We help our clients maximize ROI on their software license investments, stay in compliance, and minimize the impact of audits. Miro's performance guarantee promises that our long-tenured, diverse, and passionate team of expert analysts provides insightful and actionable advice to help our clients achieve the best possible outcomes.