Item A6 of the 2017 OWASP Top Ten is Security Misconfiguration.
This is a pretty broad term, but I understand it as failing to ensure that the components used in your application are set up correctly for your unique requirements.
Copied straight from the OWASP website:
“Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.”
The following video describes a vulnerability in the AWS S3 bucket that allows anyone to upload files into a web hosting service:
More and more things are being connected to the internet every day.
Security specialists might be savvy enough to change default settings and configure settings correctly, but would your Grandmother be able to secure their smart tv? or their E-Kettle, or Smart Fridge, or i-Slippers?
Here is a really good article about someone who decided to make her own “smart home” to see how much of her personal information was being pulled from her life. Scary stuff, and people are inviting it into their lives without even realising.
If you are on Twitter, I highly recommend following The Internet of Shit, it’s a collection of weird and wonderful Internet of Things items and their failures.
Here’s a video from their website that sums it up a bit
Ways to avoid suffering Security Misconfiguration vulnerabilities
- Change default credentials, and use strong passwords
- Search for known vulnerabilities in components you are using and make changes to plug the gaps
- Patch your software and OS regularly
- Exercise least privilege, and de-activate services (or parts of services) you don’t use
- Listen to podcasts, read blogs, and keep an eye on security breaches in the wild
Thanks for reading, my next post will be about OWASP item #7 Cross Site Scripting
I have created an account to track my goals on Habitica, if you would like to find/add me my user id is: b2d1d942-f62b-4487-a77b-58c8a93baa9c
Disclaimer: My posts for this project reflect my own understanding of the topics, if I’ve missed the point completely please pull me up and correct me in the comments section and I’ll fix it up asap. Also, if you know of any examples of the vulnerability and how best to protect against it please share 🙂