Eilon Elhadad
Mar 28 · 8 min read
More than 154 million profiles of US voters were exposed to cyber attacks after a hacker accessed a database hosted on Google Cloud services. The profiles not only included the name, age, and gender of the voters, but also information like their gun ownership, email address, and estimated income. This incident reminds us that technology has its perils, and what’s needed is robust security measures to ensure data is secured end-to-end.
Web applications are often prone to a multitude of security risks and vulnerabilities such as security misconfigurations that can potentially expose the application to cybercriminals. According to a Threat Stack report, over 73% of companies experience at least one critical security misconfiguration. In fact, the Open Web Application Security Project (OWASP), a non-profit organization, released a list of top 10 vulnerabilities in 2021, with security misconfiguration ranking in the 5th spot.
In this article, we’ll take a detailed look at 8 examples of OWASP security misconfiguration, and how to defend networks against them. We also mention how Argon can help you mitigate these risks across your entire supply chain.
A security misconfiguration is a vulnerability that arises when you overlook best practices or industry standards while configuring a security framework for your application, website, or server.
Ready-made frameworks have made programming easy, reducing the time and effort you spend in building an application. Such a trend, though widely used, opens up the web application to multiple security risks. Open source code usually comes with developer specifications or default values that compromise security and makes the application insecure. If not removed, these preset features such as a backdoor access mechanism and permission to retrieve files could allow hackers to target your system.
Security misconfiguration is an easy-to-target vulnerability as it is effortless to detect misconfigured web servers and applications. However, hackers can exploit this vulnerability to cause significant damage via illegal access to files and confidential data.
This risk can cause vulnerability across an application stack – network services, platform, web server, application server, database, frameworks, custom code, and pre-installed virtual machines, containers, or storage.
OWASP Top 10 2021 declared security misconfiguration as the 5th most critical appsec risk. As per the research, over 90% of applications reported misconfiguration, with an average incident rate of 4%. One of the reasons it is gaining popularity among cyber attackers is it doesn’t just affect web assets but every component that requires configuration.
You could be a victim of security misconfiguration for several reasons. With multiple parties involved in developing a web application, proper implementation of a security framework could slip through the cracks. Undertrained staff, lack of understanding, and failing to review patches are some of the causes. The most common security misconfiguration that occur are listed below:
Attackers can exploit a bug that has not been patched to execute a malicious program. Cybercriminals commonly exploit this loophole to scan environments for any unpatched systems and leverage the same to access applications illegally.
You might set up a few trust configurations to streamline access between systems. However, this opens up your application to attacks and breaches across your network that compromise vital data.
Unencrypted or poorly encrypted files give hackers ample opportunity to illegally access your system, steal data or modify it with false information.
Using compromised devices or credentials or reusing the same passwords for different systems could make your environment insecure. Even if attackers could gain unauthorized access to one of your systems, the entire network could be exploited.
Cyber Attackers could detect misconfiguration vulnerabilities in your system and exploit the same, causing severe harm directly or indirectly.
If you leave services running on a firewall, it could expose a window for attackers to exploit vulnerabilities and disrupt your system.
Unlike other appsec risks, security misconfiguration presents a ‘gateway risk.’ This means that the attacker gets information, which he can use to exploit your application. Here are examples to understand this type of vulnerability better.
When you skip or miss removing sample applications that come packaged with the application server, you inject the same into the production server. In such instances, you give hackers an opportunity since the sample applications contain known security gaps, which can be exploited.
The hacker can easily access the server through the default passwords if you fail to deactivate default accounts.
This occurs when you fail to deactivate the directory listing on the server. By not doing so, you enable attackers to access directories and simply download the compiled java classes. Using these, hackers can reverse engineer access to code and detect control flow in the application.
When you set up a configuration that releases detailed error messages to the users, it becomes a potential threat to your application security. The server’s critical information and layered flaws will become public knowledge through the error information. This opens up an easy way into your system.
Often when you use a cloud service provider, it comes with default sharing permissions that are enabled for other users of the service provider. Unfortunately, this means that confidential data such as privilege credentials are stored in the cloud and accessed in multiple illegal ways.
Enabling unnecessary features such as services, components, accounts, ports or pages that are not used frequently makes your system vulnerable to attackers. Hackers could employ techniques like code injection to introduce malicious programs. This code, when executed, could allow admin access to a hacker.
Not following coding practices is one fundamental cause of security misconfiguration attacks. One such lapse is not implementing proper input/output data validation. This opens up your server to cyberattacks causing severe damage to your application and organization. A solution like Argon that scans every component at each of the delivery process is essential in spotting data validation risks.
One common oversight is retaining URLs that are not intended to receive traffic. However, these unpublished URLs, which need to be removed or blocked, can widen the attack surface against your application. Attackers are constantly on the lookout to spot such vulnerabilities, which could pose a significant risk when detected.
Once a software application is deployed and running you might forget to run regular scans to detect vulnerabilities. More often than not, vendors release upgrades for their open-source software, fixing gaps or bugs. But if you fail to update your application with the available upgrades, attackers could utilize this opportunity to gain unauthorized access. Argon is able to scan code repositories looking for old and unsecured code. Argon can do this both in internal code repositories, and external ones such as on GitHub.
Preventing a security misconfiguration attack might seem strenuous since it comprises various vulnerabilities. Attackers could use any type of misconfiguration to attack your web application intruding on your confidential files. However, a few simple practices could secure your system from such attacks. Let’s take a look at the preventive measures you need to employ against security misconfiguration.
This streamlines the deployment of properly configured web applications and servers. You should also ensure that configuration across environments (development, production, and testing) are in sync but with different authorizations.
An automated process does a better job of repetitive configuration tasks than humans. So, automate as many tasks as you can across development and production to sanitize configuration and verify security settings. Leveraging a solution like Argon will help automate security tasks at each step.
As a best practice, you must regularly update your software, especially when using third-party code. They often contain patches or fixes for any vulnerabilities that were detected recently.
Employ periodic inspection to detect and mitigate potential security misconfigurations and appsec risks. Here again, Argon can give you all the information you need to conduct an audit at any time. Argon tracks and monitors each step accurately and delivers end-to-end visibility.
It is crucial to build a robust application architecture that is secure and segmented to create effective separation between components and assets. It is a good strategy to leverage containerization or cloud security groups (ACLs).
As a part of the installation process, you need to remove any unused features, documentation, components, and samples, and make the application a minimal platform.
Other best practices to prevent security misconfiguration attacks are:
Dynamic and complex applications continue to favor the usage of third-party vendors and open-source software. Unfortunately, this only increases the chances of a security breach. Security misconfiguration is not only one of the OWASP Top 10 appsec threats, but is also moving up the list fast. Security misconfiguration occurs due to human errors and gives hackers a fairly easy way into the system, compromising the entire environment.
In addition to implementing security configurations properly, you need to constantly track, manage and safeguard infrastructure to mitigate vulnerabilities that occur due to misconfiguration. Argon is a powerful security solution that eliminates supply chain risks due to misconfiguration, vulnerabilities and weak dependencies. Argon provides holistic, multi-layered prevention of supply chain threats. OWASP security misconfiguration poses numerous issues for security. However, by following the best practices mentioned here, and leveraging a capable security solution like Argon, you can ensure that OWASP security misconfiguration issues are a thing of the past.
DevOps has evolved into a standard practice of software development. According to…
Logging in to websites to access your accounts isn’t as secure as…
Today’s businesses and enterprises are heavily dependent on software and applications for…
