OWASP In Depth: A05:2021 – Security Misconfiguration

From Insecure Design last week to Insecure Configuration this week!

OWASP In Depth: A05:2021 – Security Misconfiguration

Unlike last week’s bleak view on insecure design (spoiler: “cannot be fixed”), Security Misconfiguration is focused on missing, incomplete, or inappropriate configurations that can result in security risks. These risks present themselves in different ways across your app, some of which can be trivially solved, while others may take more time.

The OWASP Guide provides a rather nice description of different areas to be aware of, so let’s work our way through their list and link each up to practical solutions you can use in your apps.

Security Hardening

Missing appropriate security hardening across any part of the application stack or improperly configured permissions on cloud services.

We’re starting off with a broad topic first, talking about configuring your stack with secure settings from the infrastructure right up to the app level.