Security awareness

OWASP Top 10 #5: Security Misconfiguration

Stephen Moramarco
August 21, 2017 by
Stephen Moramarco

Recently, the Open Web Application Security Project (OWASP) announced an update of their "Ten Most Critical Web Application Security Risks.” OWASP is a nonprofit organization devoted to helping create a more secure internet and the list is considered an important benchmark. (The new 2017 list is currently in the comments phase.)

This is one of a series of articles exploring each point on OWASP’s list and what can be done to mitigate their dangers. Holding steady at Number 5 from the 2013 list is “Security Misconfiguration.”

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Many Layers, Opportunities for Hackers

Security misconfiguration is one of the easiest targets for hackers because it’s so commonplace. This type of vulnerability includes weak or default passwords, out-of-date software, unnecessary features that are enabled, and unprotected files or databases.

Hackers target a website and then attempt to exploit weaknesses in a variety of ways, including brute-force password attacks, using stack traces that return full error messages, and accessing insecure sample apps that are unused but enabled.

Misconfiguration can happen up and down the stack, from the software platform to the web including the application servers, databases, frameworks, and custom code layered on top. If just one of these is misconfigured, it creates an opportunity for an “in,” which can lead to a slow takeover or a wider breach.

Prevention Begins with Assessment

OWASP recommends starting with a thorough audit of the entire IT environment, highlighting such issues as software that needs updates or patches, default accounts that still have their original passwords, and security settings in frameworks and applications that are not set to secure values.

OWASP urges businesses to create a highly robust environment from the ground up, including creating a strong infrastructure that has all its components separate and secure. Developers and system administrators must work hand in hand to ensure that everything is configured correctly.

Additionally, automatic configuration of staging, development, and production environments is suggested as a way of making compliance easy. Software or firmware updates and patches should be deployed simultaneously; scans and audits conducted periodically.

“Without a concerted, repeatable application security configuration process, systems are at a higher risk,” OWASP states on their website.

Awareness Is Crucial

Creating a secure system that is configured correctly involves making sure everyone involved understands both the need for security and as the protocols involved in creating and maintaining it.

To assist with this mission, InfoSec Institute has created SecurityIQ, a comprehensive suite of educational modules. It includes AwareED, a configurable course on security that can be administered remotely to entire departments or organizations.

SecurityIQ contains videos and interactive materials for every point on OWASP’s list, including security misconfiguration. It’s easy to enroll your entire company in a course or series of courses via email signup. From the dashboard, you can monitor everyone’s progress.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

To learn more and get a 30-day trial of our premium services, visit SecurityIQ today!

Stephen Moramarco
Stephen Moramarco

Stephen Moramarco is a freelance writer and consultant who lives in Los Angeles. He has written articles and worked with clients all over the world, including SecureGroup, LMG Security, Konvert Marketing, and Iorad.