2021 OWASP Top Ten: Security Misconfiguration
Security Misconfiguration: OWASP Top 10 Risk #5
Understanding Security Misconfiguration
- John Wagner introduces the topic of security misconfiguration as the fifth risk in the OWASP Top 10 for 2021, distinguishing it from insecure design.
- Security misconfiguration occurs when security components are present but not properly configured, such as failing to change default passwords.
- This risk has moved up from the sixth position in the previous edition (2017), highlighting its growing prevalence; 90% of tested applications showed some form of misconfiguration.
Identifying Vulnerabilities
- Key indicators of potential vulnerabilities include unnecessary features being enabled, unchanged default accounts and passwords, and disabled latest security features after software upgrades.
- Applications may also lack proper security headers or directives, or run outdated and vulnerable software.
Scenarios Illustrating Misconfigurations
- An example scenario involves an application running on a server that includes a sample application with known vulnerabilities that was not removed during installation.
- Attackers can exploit these vulnerabilities if default accounts remain unchanged, allowing unauthorized access to the application server.
Error Messaging Risks
- Another scenario highlights how overly detailed error messages can inadvertently provide attackers with information about software versions and underlying flaws.
- Such details could enable attackers to identify specific vulnerabilities within the application, leading to potential exploitation.
Challenges in Mitigating Misconfigurations
Hardening Application Security: Key Strategies
Importance of Hardening Guides
- Emphasizes the necessity of consulting hardening guides for each framework used in applications, despite the extensive reading and effort required.
Secure TLS Configuration
- Suggests using Mozilla's SSL config generator to establish secure Transport Layer Security (TLS) settings, aiming for high security ratings like an A+.
Repeatable Hardening Processes
- Advocates for a repeatable hardening process that simplifies deploying secure environments, especially relevant in modern application development involving automation and containerized microservices.
Minimal Platform Approach
- Recommends maintaining a minimal platform by removing unnecessary features or components, aligning with the principle of least privilege to enhance security.
Client-Side Security Directives
- Discusses implementing security headers such as HTTP Strict Transport Security (HSTS) to bolster client-side security measures.
Automation in Configuration Verification
- Stresses the importance of automating processes to verify configuration effectiveness across all environments, addressing potential security misconfigurations.
Challenges in Modern Applications
- Acknowledges the complexities involved in securing applications spread across multiple cloud environments and highlights how overlooked details can lead to vulnerabilities exploited by attackers.
Conclusion on Application Security