Risk A6 in OWASP - Incorrect Security Configuration.
In our post What is OWASP and why every developer should know about it we saw an introduction to OWASP and why it is so important in the development of web applications. Within the TOP TEN project, we will delve a little into each of the ten most critical security risks in web applications. Today is the turn of Risk A6 - Incorrect Security Configuration.
Definition
This risk refers to any vulnerability without its due patch (that is, applications with detected security errors) and errors in configuration that allow access to default accounts, files, directories or unprotected pages.
Examples
- Development or test environments with default access credentials such as admin@admin.com / 12345.
- Environments configured to display code errors to the user or file listings on web servers.
Prevention
- Do not use platforms/frameworks with many functions, components or services that will not be used.
- Applications must have a segmented architecture that allows for secure separation of components and access to third parties, containers, or security groups in the cloud (ACLs).
- There must be a process to review and update default configurations and security patch management in applications.
- An automated process should be used to verify the effectiveness of adjustments and configurations in all environments.