Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

OWASP A05: Security misconfiguration

Are your servers and tools properly locked down?

Based on the OWASP Top 10 — 2021 edition. Check owasp.org/Top10 for the current edition.

Background

The most common source of breaches in the wild. Default passwords. Admin interfaces facing the public internet. Verbose error messages. Cloud storage buckets accidentally public.

Questions to ask yourself

  • Are admin interfaces reachable from the public internet?
  • Are cloud storage buckets, databases, or APIs facing the internet without auth?
  • Are we showing detailed error messages to users?
  • Has anyone reviewed our server and cloud configuration against a benchmark?

For owners — questions to ask your developer

Questions to ask your developer

Three of these you can run yourself; the fourth is a question to ask.

  • 01Verify yourself: Run Security Headers on your site. Aim for at least a B grade. The fixes are header changes that cost nothing.
  • 02Verify yourself: Try the obvious admin paths (/admin, /wp-admin, /phpmyadmin) from outside the office Wi-Fi. If they load a login page, ask why they're internet-facing.
  • 03“Are we using Microsoft Defender for Cloud / AWS Trusted Advisor / Google SCC to flag misconfigurations? Show me last month's report.”