OWASP Top 10 : Security Misconfiguration

The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to Web Application Security. The OWASP Top 10 is a standard awareness document representing a broad consensus about the top 10 critical security risks to web applications. Learn more about OWASP Top 10 through this series of short blog posts.

OWASP Top 10 - Security Misconfiguration

What is Security Misconfiguration?

Security misconfiguration happens when security settings are not properly set during the configuration process or deployed and maintained with defaults settings. One of the most common and frequent occurrences is poorly configured systems that could affect any layer of the application stack, network layer and cloud. Weakness is typically introduced during configuration time (CWE 16). According to the IBM 2020 breach study, misconfigured clouds were one of the leading causes of the data breaches that cost around 4.41 million dollars.

Common misconfiguration vulnerabilities arise of use of default passwords, open database instances, deprecated protocols and encryption, error messages revealing sensitive information, directory listing enabled, default certificates, misconfigured cloud settings, unnecessary features such as pages, ports, services enabled due to default installation leading to forced browsing, command injection, bruteforce/credential stuffing, directory listing etc.

How Does Security Misconfiguartion Impact business?

Misconfiguration of web server, database, storage buckets, applications, libraries, OS, coding frameworks, platforms, virtual machines, certificates, encryption settings, clouds impacts different aspects of AIC triad depending on the nature of the vulnerability. This could lead to unauthorized access, account takeover, sensitive data exposure, data theft, system compromise and legal and financial implications as a result of this vulnerability.

Past Victims

  • Capital One, a former AWS employee exploited a misconfigured web application firewall and accessed a server containing PII information of Capital One customers

  • Avon cosmetics suffered a breach due to misconfigured cloud server leaked 19 million personal and technical records

  • 250 million customer support records exposed of Microsoft because of configuration error of its elasticsearch servers

How to prevent security misconfiguration?

  • Proper training and implementation of baseline configuration policy across the organization

  • Change default settings and secure public facing instances

  • Harden the web server according to NIST 800-123

  • Use automated scanners for misconfigurations

  • Proper patch management

  • Update and upgrade all software

  • Detect misconfigurations in Frameworks, components, library, unused pages, code, custom code using static security scanners and dynamic application security testing(DAST)

  • Check for misconfiguration at test, development and production environment and properly segmenting these environments

  • Continuous monitoring of container registry, images and cloud instances

  • Apply secure header best practices and follow OWASP and CIS security configuration methodology

Interested in learning how to know if your organization is vulnerable to security misconfiguration attacks? Drop us a note now at sales@siemba.io