The sixth category in the OWASP Top 10 is security misconfiguration. OWASP describes this as security misconfiguration is the most common issue in the data. The main reason that causes this is configurations issues.
Such as If you are using the default configuration, or no configuration at all, misconfigured communication headers, outdated systems updates, old frameworks, vulnerable third-party dependencies, etc.
When we get software or a product from the provider then it comes with some default settings like passwords, URLs, login credentials.
As a responsible user, it is our responsibility to change those settings before we start using the system.
The same product is available to millions of users and everybody knows about the default settings and configurations. This public knowledge of configurations can be used by hackers to take advantage of your system. So always we need to make sure we are not using any of the
default or outdated configurations in our system.
How to secure configurations?
1. Do not use Defaults
Always products come with default settings and configuration. We should not use the default configurations and must change them before our use.
Every time we update our software or product with new firmware we should make sure the configurations are secure and not restored to defaults.
Default configurations are like public information and it is known to everyone. so always avoid it.
Always use the most secure options when you replace the default configurations. Default configurations are usually the least secured configurations to help users to use the application for the first time.
2. Always keep the system up to date.
When you use a software or application then always register it with the manufacturer or developer. This helps you keep getting the security
updates and patches to keep your system updated.
Most of the software applications keep updating with the latest technology and security vulnerabilities. If you are registered with the security updates then you automatically get those updates.
If the software application is not issuing the automatic updates then you should follow the manual update process.
3. Verify before you deploy
Once we are ready with our configuration changes and go live. We should test and verify each and every configuration from the security point of view.
Simililarly on every update we should very the configurations before we go live.
This kind of verification helps us to rule out any mis configuration and also verify if something broke with this update.