The fifth most critical web application security risk according to the 2013 Open Web Application Security Project (OWASP) Top 10 list is Security Misconfiguration. This is only the second time it has made the list, starting in the sixth position on the 2010 list.
Security misconfiguration is simply that – incorrectly assembling the safeguards for a web application. These misconfigurations typically occur when holes are left in the security framework of an application by systems administrators, DBAs or developers. They can occur at any level of the application stack including the platform, web server, application server, database, framework and custom code. These security misconfigurations can lead an attacker right into the system and result in a partially or even totally compromised system.
Attackers find these misconfigurations through unauthorized access to default accounts, unused web pages, unpatched flaws, unprotected files and directories and more. If a system is compromised through faulty security configurations, data can be stolen or modified slowly over time and can be time-consuming and costly to recover.
It is important that the entire surface of the web application is void of vulnerabilities. Unlike many of the OWASP Top 10 risks, the developers are not solely responsible for preventing security misconfiguration flaws. The developers must collaborate with administrators to ensure the entire stack is configured properly.
Security misconfigurations are easy to exploit but there are a number of proactive ways to prevent them, including the following recommendations from industry experts:
- Develop a repeatable process to reduce the surface of vulnerability
- Disable default accounts and change passwords
- Keep software up-to-date
- Develop a strong application architecture that effectively isolates components and encrypts data which is especially important with sensitive data.
- Disable any unnecessary files or features
- Don’t present stack tracers to users
- Ensure security settings in development frameworks and libraries are set to secure values
- Run tools (i.e. automated scanners) and perform regular audits to identify holes in the security configuration
Web applications are much more complex today than in the past. They have numerous layers which increase the surface for a potential attack. During the development process, as well as the deployment and ongoing use and maintenance of the web application, it is imperative that the proper security safeguards are taken to reduce any potential points for exploitation. Ensuring the security settings are configured correctly and are checked frequently is critical to protect an organization’s information assets.