#SuperGoalingBros – OWASP Study – 6. Security Misconfiguration

Item A6 of the 2017 OWASP Top Ten is Security Misconfiguration.

This is a pretty broad term, but I understand it as failing to ensure that the components used in your application are set up correctly for your unique requirements.

Copied straight from the OWASP website:

“Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.”

The following video describes a vulnerability in the AWS S3 bucket that allows anyone to upload files into a web hosting service:


More and more things are being connected to the internet every day.

Security specialists might be savvy enough to change default settings and configure settings correctly, but would your Grandmother be able to secure their smart tv? or their E-Kettle, or Smart Fridge, or i-Slippers?

Here is a really good article about someone who decided to make her own “smart home” to see how much of her personal information was being pulled from her life. Scary stuff, and people are inviting it into their lives without even realising.

If you are on Twitter, I highly recommend following The Internet of Shit, it’s a collection of weird and wonderful Internet of Things items and their failures.

Here’s a video from their website that sums it up a bit

 


Ways to avoid suffering Security Misconfiguration vulnerabilities

  • ┬áChange default credentials, and use strong passwords
  • Search for known vulnerabilities in components you are using and make changes to plug the gaps
  • Patch your software and OS regularly
  • Exercise least privilege, and de-activate services (or parts of services) you don’t use
  • Listen to podcasts, read blogs, and keep an eye on security breaches in the wild

Thanks for reading, my next post will be about OWASP item #7 Cross Site Scripting

I have created an account to track my goals on Habitica, if you would like to find/add me my user id is: b2d1d942-f62b-4487-a77b-58c8a93baa9c


Disclaimer: My posts for this project reflect my own understanding of the topics, if I’ve missed the point completely please pull me up and correct me in the comments section and I’ll fix it up asap. Also, if you know of any examples of the vulnerability and how best to protect against it please share ­čÖé

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: