Day 9: OWASP Top 10 2021 – #5 Security Misconfiguration

Security Misconfiguration is the failure to implement all of a web application’s security controls or the implementation of security controls with mistakes. The former category for XML External Entities (XXE) is now a part of this risk category, which rises from the sixth position in the previous edition. 

One of the main causes of that statistic is incorrectly configured security settings; according to OWASP, this vulnerability is the most prevalent among the top ten. The organization will be at risk due to a variety of configuration errors, such as accepting insecure default settings, Cloud storage resources that are too easily available, incomplete settings, and incorrect HTTP headers.

Impact of Security Misconfiguration
  1. complete system compromise.
  2. Exposure of personal information
Remedy to Security Misconfiguration

Nearly any component of the system, including databases, web and application servers, network-attached devices, and containers, is susceptible to security misconfigurations. The methods listed below can assist in keeping an environment configured properly:

  • Utilize templates to deploy pre-configured development, test, and production environments that adhere to the security standards of the company.
  • Utilize segmented application architectures to reduce the danger posed by an element that has been set up improperly; keep a collection of container images that have been set up correctly.
  • Deploy simple platforms, and get rid of any features and services you don’t use.
  • Continuously check servers, apps, and resources in the cloud for security flaws, and whenever possible, use automated workflows to fix problems that are found.
  • Encrypt data-at-rest to prevent data from exploitation.

CWEs List for Security Misconfiguration

References To Get More Understanding of Security Misconfiguration

This will be all for the Day 9 post. Hope you enjoyed it, kindly let me know in the comments section. Be sure to check out other blog posts of interest or come back tomorrow for the next day’s post.