Computing systems and applications often experience security misconfigurations that can potentially expose them to cyber criminals. According to a Threat Stack report, over 73% of companies experience at least one critical security misconfiguration. The Open Web Application Security Project (OWASP) updated its famous list of top 10 vulnerabilities in 2021, with security misconfiguration ranking as the 5th most dangerous risk.
In this article:
What Is a Security Misconfiguration?
A security misconfiguration is when security options are not defined in a way that maximizes security, or when services are deployed with insecure default settings. This can happen in any computing system, software application, as well as in cloud and network infrastructure. Security misconfiguration is a common cause of cyber attacks and successful data breaches.
Frameworks have made programming easy, reducing the time and effort spent building an application. However, these frameworks have complex configurations, increasing the risk of security misconfigurations. Similarly, open source code is widely used, and might come with default configurations that compromise security and make the application insecure.
Security misconfiguration is an easy-to-target vulnerability. It is typically easy to detect misconfigured web servers and applications, and hackers can exploit the vulnerabilities they discover to cause significant damage.
This risk of misconfiguration can pose a threat to the entire application stack – network services, platform, web server, application server, database, frameworks, custom code, and pre-installed virtual machines, containers, or storage.
What Is OWASP Security Misconfiguration (A05:2021)?
The OWASP list of Top 10 Web Application Vulnerabilities, updated 2021, declared security misconfiguration as the 5th most critical AppSec risk. As per the research, over 90% of applications reported misconfiguration, with an average incident rate of 4%. One of the reasons it is gaining popularity among cyber attackers is it doesn’t just affect web assets but every component that requires configuration.
According to OWASP, applications are vulnerable to security misconfiguration if they lack sufficient hardening or have improperly configured cloud service permissions. Additional concerns include redundant features, default settings and passwords, visible error handling information, and misconfigured or disabled security features.
It is important to ensure application frameworks and servers have secure settings and that all software components are up to date. The servers should send security directives or headers to clients. OWASP offers recommendations to avoid security misconfiguration issues—these include implementing repeatable, automated security hardening processes, segmenting the application architecture, and keeping the platform minimal.
6 Types of Security Misconfigurations
You could be a victim of security misconfiguration for several reasons. With multiple parties involved in developing a web application, proper implementation of a security framework could slip through the cracks. Undertrained staff, lack of understanding, and failure to review patches are some causes. The most common security misconfiguration that occur are listed below:
1. Unpatched systems
Attackers can exploit a bug that has not been patched to execute a malicious program. Cybercriminals commonly exploit this loophole to scan environments for any unpatched systems and leverage the same to access applications illegally.
2. Default account settings
You might set up a few trust configurations to streamline access between systems. However, this opens up your application to attacks and breaches across your network that compromise vital data.
3. Unencrypted files
Unencrypted or poorly encrypted files give hackers ample opportunity to illegally access your system, steal data or modify it with false information.
4. Unsecured devices
Using compromised devices or credentials or reusing the same passwords for different systems could make your environment insecure. Even if attackers could gain unauthorized access to one of your systems, the entire network could be exploited.
5. Web application and cloud misconfiguration
Cyber Attackers could detect misconfiguration vulnerabilities in your system and exploit the same, causing severe harm directly or indirectly.
6. Insufficient firewall protection
If you leave services running on a firewall, it could expose a window for attackers to exploit vulnerabilities and disrupt your system.
8 Examples of Security Misconfigurations
Unlike other appsec risks, security misconfiguration presents a ‘gateway risk.’ This means that the attacker gets information, which he can use to exploit your application. Here are examples to understand this type of vulnerability better.
1. Sample Applications Vulnerability
When you skip or miss removing sample applications that come packaged with the application server, you inject the same into the production server. In such instances, you give hackers an opportunity since the sample applications contain known security gaps, which can be exploited.
The hacker can easily access the server through the default passwords if you fail to deactivate default accounts.
2. Directory Listing Vulnerability
This occurs when you don’t deactivate the directory listing on the server. By not doing so, you enable attackers to access directories and simply download the compiled java classes. Using these, hackers can reverse engineer access to code and detect control flow in the application.
3. Error Message Vulnerability
When you set up a configuration that releases detailed error messages to the users, it becomes a potential threat to your application security. The server’s critical information and layered flaws will become public knowledge through the error information. This opens up an easy way into your system.
4. Default Privileges Vulnerability
Often when you use a cloud service provider, it comes with default sharing permissions that are enabled for other users of the service provider. Unfortunately, this means that confidential data such as privilege credentials are stored in the cloud and accessed in multiple illegal ways.
5. Unnecessary Features Vulnerability
Enabling unnecessary features such as services, components, accounts, ports or pages that are not used frequently makes your system vulnerable to attackers. Hackers could employ techniques like code injection to introduce malicious programs. This code, when executed, could allow admin access to a hacker.
6. Improper Data Validation Vulnerability
Not following coding practices is one fundamental cause of security misconfiguration attacks. One such lapse is not implementing proper input/output data validation. This opens up your server to cyberattacks causing severe damage to your application and organization. A solution like Aqua that scans every component at each of the delivery process is essential in spotting data validation risks.
7. Unpublished URLs Vulnerability
One common oversight is retaining URLs that are not intended to receive traffic. However, these unpublished URLs, which need to be removed or blocked, can widen the attack surface against your application. Attackers are constantly on the lookout to spot such vulnerabilities, which could pose a significant risk when detected.
8. Out-of-date Software Vulnerability
Once a software application is deployed and running you might forget to run regular scans to detect vulnerabilities. More often than not, vendors release upgrades for their open-source software, fixing gaps or bugs. But if you fail to update your application with the available upgrades, attackers could utilize this opportunity to gain unauthorized access. Aqua is able to scan code repositories looking for old and unsecured code. Aqua can do this both in internal code repositories, and external ones such as on GitHub.
How to Prevent Security Misconfiguration
Preventing a security misconfiguration attack might seem strenuous since it comprises various vulnerabilities. Attackers could use any type of misconfiguration to attack your web application intruding on your confidential files. However, a few simple practices could secure your system from such attacks. Let’s take a look at the preventive measures you need to employ against security misconfiguration.
Adopt Repeatable Hardening Processes
This streamlines the deployment of properly configured web applications and servers. You should also ensure that configurations across environments (development, production, and testing) are in sync but with different authorizations.
Automate Repetitive Tasks
An automated process does a better job of repetitive configuration tasks than humans. So, automate as many tasks as you can across development and production to sanitize configuration and verify security settings. Leveraging a solution like Aqua will help automate security tasks at each step.
Regularly Update Software
As a best practice, you must regularly update your software, especially when using third-party code. They often contain patches or fixes for any vulnerabilities that were detected recently.
Conduct Frequent Audits
Employ periodic inspection to detect and mitigate potential security misconfigurations and appsec risks. Here again, Aqua can give you all the information you need to conduct an audit at any time. Aqua tracks and monitors each step accurately and delivers end-to-end visibility.
Build Segmented Architecture
It is crucial to build a robust application architecture that is secure and segmented to create effective separation between components and assets. It is a good strategy to leverage containerization or cloud security groups (ACLs).
Avoid Unused Features
As a part of the installation process, you need to remove any unused features, documentation, components, and samples, and make the application a minimal platform.
Other best practices to prevent security misconfiguration attacks are:
- Emphasize the importance of security configurations to your team and the best practices to achieve absolute security
- Eliminate cloud storage permissions and verify predefined privileges in the software
- Avoid enabling directory browsing and turn off non-essential functionalities
- Do not allow debugging tools to access server or display internal errors publicly
- Ensure that you update all your packages and libraries