What is Security Misconfiguration?
This is one of those vulnerabilities which makes it a bit hard to pinpoint. Security Misconfigurations can range from the currency of frameworks, to the settings in the Web.config, to the access rights of database accounts. It based on how configurable settings within the app are handled – not code. If your app uses a web server, a framework, an app platform, a database, a network or contains any code, you are at risk of security misconfiguration. So, to put into perspective, that would be all of us.
What are the risks?
In a lot of cases there’s a set-it-and-forget-it approach to network security that exacerbates the problem. It has become an accepted fact in the IT community that misconfiguration and missing patches are the most significant vulnerabilities enterprises and businesses face today. When networks are so messily configured and maintained, bad guys can drive a virtual bulldozer through completely unnoticed. Also, the easier the Wi-Fi access, the easier we become prime targets for hackers to breach security holes and exploit them.
Let’s take a peek at how OWASP rates the vulnerability and potential fallout:
|Consider anonymous external attackers as well as users with their own accounts that may attempt to compromise the system. Also consider insiders wanting to disguise their actions.||Attacker accesses default accounts, unused pages, unpatched flaws, unprotected files and directories, etc. to gain unauthorized access to or knowledge of the system.||Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, framework, and custom code. Developers and network administrators need to work together to ensure that the entire stack is configured properly. Automated scanners are useful for detecting missing patches, misconfigurations, use of default accounts, unnecessary services, etc.||Such flaws frequently give attackers unauthorized access to some system data or functionality. Occasionally, such flaws result in a complete system compromise.||The system could be completely compromised without you knowing it. All your data could be stolen or modified slowly over time.Recovery costs could be expensive.|
What we can do to help you.
We will conduct regular penetration tests and maintain security control audits. In doing so, you will receive a detailed report listing the severity of risk, type of vulnerability, OWASP reference, the impact and an overall test result. We will offer you active solutions and recommendations on how to fix security misconfigurations. As a result, you can ensure your software is trustworthy, up to date, secure and protected in all ways.
For more information and a free estimate please contact us today.
© 2012 Toronto Professional services LTD. All rights reserved