Background
The most common source of breaches in the wild. Default passwords. Admin interfaces facing the public internet. Verbose error messages. Cloud storage buckets accidentally public.
Questions to ask yourself
- Are admin interfaces reachable from the public internet?
- Are cloud storage buckets, databases, or APIs facing the internet without auth?
- Are we showing detailed error messages to users?
- Has anyone reviewed our server and cloud configuration against a benchmark?
For owners — questions to ask your developer
Questions to ask your developer
Three of these you can run yourself; the fourth is a question to ask.
- 01Verify yourself: Run Security Headers on your site. Aim for at least a B grade. The fixes are header changes that cost nothing.
- 02Verify yourself: Try the obvious admin paths (
/admin,/wp-admin,/phpmyadmin) from outside the office Wi-Fi. If they load a login page, ask why they're internet-facing. - 03“Are we using Microsoft Defender for Cloud / AWS Trusted Advisor / Google SCC to flag misconfigurations? Show me last month's report.”