SlideShare a Scribd company logo
Security Misconfiguration
Introduction to Security Misconfiguration
o Misconfiguration is define as configuration mistakes that results in
unintended application behavior that includes misuse of default
passwords, privileges, and excessive debugging information disclosure.
o This happens when the system administrators, DBAs or developers
leave security holes in the configuration.
o Good security required proper configuration of systems.
oThe effects of misconfiguration can be non-threatening but also can lead
service outage , loss of sensitive data and other serious problems.
Where?
Security misconfiguration may happen any of the following levels:
Operating system or platform
Web server
Application server
Database server
Framework
Custom code
Impact
Can be severe
Partial or full data loss
Data modification
Compromise of full system
Expensive recovery
How to test for a security misconfiguration
Automated Scanners are useful for detecting misconfigurations, use of default
accounts or configurations, unnecessary services, legacy options, etc.
Using Burp to Test for Security Misconfiguration Issues:
Application misconfiguration attacks exploit configuration weaknesses found in
web applications. Security misconfiguration can happen at any level of an
application stack, including the platform, web server, application server,
database, and framework.
Cause: Inadvertent use of default options
Default options are always an easy target for hackers. It is very common that
users often do not change their default password or do not delete default user
ID.
Some applications come with default port number as well.
Examples:
Oracle database default installation includes default user id and password
User/schema: scott, password: tiger and default port number 1521
Cause: Excess debugging information
Revealing too much debugging information is a very common misconfiguration
problem. This usually does not result directly to exploitation of a system.
Attackers can collect extra information, such as the internal working of an
application and version numbers.
Attackers can use this excessive debugging information to craft SQL to perform a
SQL injection attack. Also, when applications fail to perform an action, they can
leak sensitive information.
Cause: Improper Policy or Role Configuration
Role misconfiguration is another leading cause of web application
misconfiguration.
This causes groups or roles to access settings or records that were not intended
for them.There are many reasons for role misconfigurations.
Complex business roles and polices can be blamed for role misconfiguration.
Example: allowing admin staff to view human resource data.
Cause: Human Mistakes
Human mistakes are frequent and unavoidable and can account for up to
43% of all system failures.
Operator error is the main reason for downtime for large websites, such
as Google, MSN, andYahoo. Proper interfaces and good design can
drastically reduce operator mistakes.
Poorly designed application interfaces and too tight restriction may force
user to attempt or bypass security then they need to accomplish a goal.
Prevention: Basic Policies
•Do not use default credentials.
•Avoid default installations.
•Maintain consistency of configuration between versions.
•Restrict default configuration options.
•Avoid default port numbers.
•Restrict roles and privileges.
•Centralize configuration as much as possible.
•Scans and audits.
•Strong encryption.
Prevention: Secure coding and code review
•Design application functionality with security in mind.
•Extends development time.
•Practice defensive coding.
•Review codes to ensure security properties.
•Stay up to date with coding standards compliance. Consistent design and
implementation.
•Finding security issues/bugs early.
Solution: Patching and Education
 Keep applications up to date.
Apply vendor patches on time.
Apply critical security and vulnerability regularly.
Educate developers, administrators, and testers.
Participate security training.
Attend security conferences.
Subscribe to vendor’s security alert.
Conclusion
Security misconfiguration or poorly configured security controls, could
allow malicious users to change your website, obtain unauthorized
access, compromise files, or perform other unintended actions.
Risk:The prevalence of web application misconfiguration is very high in
IT industry. •
Priority: Safeguarding web application from malicious users and attacks.
References
https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
https://support.portswigger.net/customer/portal/articles/1965728-using- burp-to-test-for-
security-misconfiguration-issues
https://www.youtube.com/watch?v=vheGnopQm6s&t=514s
https://www.cloudflare.com/learning/security/threats/owasp-top-10/ •
https://resources.infosecinstitute.com/2017-owasp-a6-update-security- misconfiguration/#gref
https://bounty.github.com/classifications/security-misconfiguration.html •
https://www.youtube.com/watch?v=ouuXu9_UM0w
Thank You
You can find me at:
▫ @https://www.linkedin.com/in/
Kalyani-raut-29756a10a
▫ kalyaniraut97@gmail.com
Thanks !
ANY QUESTIONS?

More Related Content

Similar to Security Misconfiguration.pptx

information system security --internet cyber security
information system security --internet cyber securityinformation system security --internet cyber security
information system security --internet cyber security
VivekSinghShekhawat2
 
Security testing
Security testingSecurity testing
Security testing
Rihab Chebbah
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical Security
Nicholas Davis
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical security
Nicholas Davis
 
Database Security - IK
Database Security - IKDatabase Security - IK
Database Security - IK
Ilgın Kavaklıoğulları
 
Security Design Principles.ppt
 Security Design Principles.ppt Security Design Principles.ppt
Security Design Principles.ppt
DrBasemMohamedElomda
 
Database security
Database securityDatabase security
Database security
Arpana shree
 
SalemPhilip_ResearchReport
SalemPhilip_ResearchReportSalemPhilip_ResearchReport
SalemPhilip_ResearchReport
Philip Salem
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
John Ashmead
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
ankitmehta21
 
CohenNancyPresentation.ppt
CohenNancyPresentation.pptCohenNancyPresentation.ppt
CohenNancyPresentation.ppt
mypc72
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
Packet capture and network traffic analysis
Packet capture and network traffic analysisPacket capture and network traffic analysis
Packet capture and network traffic analysis
CARMEN ALCIVAR
 
Testingfor Sw Security
Testingfor Sw SecurityTestingfor Sw Security
Testingfor Sw Security
ankitmehta21
 
Uwvwwbwbwbwbwbwbwbnit-4 - web security.pptx
Uwvwwbwbwbwbwbwbwbnit-4 - web security.pptxUwvwwbwbwbwbwbwbwbnit-4 - web security.pptx
Uwvwwbwbwbwbwbwbwbnit-4 - web security.pptx
VikasTuwar1
 
How to Test for The OWASP Top Ten
 How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
Mike Spaulding
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
Marcelo Martins
 

Similar to Security Misconfiguration.pptx (20)

information system security --internet cyber security
information system security --internet cyber securityinformation system security --internet cyber security
information system security --internet cyber security
 
Security testing
Security testingSecurity testing
Security testing
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical Security
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical security
 
Database Security - IK
Database Security - IKDatabase Security - IK
Database Security - IK
 
Security Design Principles.ppt
 Security Design Principles.ppt Security Design Principles.ppt
Security Design Principles.ppt
 
Database security
Database securityDatabase security
Database security
 
SalemPhilip_ResearchReport
SalemPhilip_ResearchReportSalemPhilip_ResearchReport
SalemPhilip_ResearchReport
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
 
CohenNancyPresentation.ppt
CohenNancyPresentation.pptCohenNancyPresentation.ppt
CohenNancyPresentation.ppt
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Packet capture and network traffic analysis
Packet capture and network traffic analysisPacket capture and network traffic analysis
Packet capture and network traffic analysis
 
Testingfor Sw Security
Testingfor Sw SecurityTestingfor Sw Security
Testingfor Sw Security
 
Uwvwwbwbwbwbwbwbwbnit-4 - web security.pptx
Uwvwwbwbwbwbwbwbwbnit-4 - web security.pptxUwvwwbwbwbwbwbwbwbnit-4 - web security.pptx
Uwvwwbwbwbwbwbwbwbnit-4 - web security.pptx
 
How to Test for The OWASP Top Ten
 How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
 

More from Kalyani Raut

Scheduling.pptx
Scheduling.pptxScheduling.pptx
Scheduling.pptx
Kalyani Raut
 
Liner Power Supply.pptx
Liner Power Supply.pptxLiner Power Supply.pptx
Liner Power Supply.pptx
Kalyani Raut
 
Security Threats.pptx
Security Threats.pptxSecurity Threats.pptx
Security Threats.pptx
Kalyani Raut
 
Tarot Cards Interpretation.pptx
Tarot Cards Interpretation.pptxTarot Cards Interpretation.pptx
Tarot Cards Interpretation.pptx
Kalyani Raut
 
MOTIVATIONAL Quotes.pptx
MOTIVATIONAL Quotes.pptxMOTIVATIONAL Quotes.pptx
MOTIVATIONAL Quotes.pptx
Kalyani Raut
 
GOOD_HABIT.pptx
GOOD_HABIT.pptxGOOD_HABIT.pptx
GOOD_HABIT.pptx
Kalyani Raut
 

More from Kalyani Raut (6)

Scheduling.pptx
Scheduling.pptxScheduling.pptx
Scheduling.pptx
 
Liner Power Supply.pptx
Liner Power Supply.pptxLiner Power Supply.pptx
Liner Power Supply.pptx
 
Security Threats.pptx
Security Threats.pptxSecurity Threats.pptx
Security Threats.pptx
 
Tarot Cards Interpretation.pptx
Tarot Cards Interpretation.pptxTarot Cards Interpretation.pptx
Tarot Cards Interpretation.pptx
 
MOTIVATIONAL Quotes.pptx
MOTIVATIONAL Quotes.pptxMOTIVATIONAL Quotes.pptx
MOTIVATIONAL Quotes.pptx
 
GOOD_HABIT.pptx
GOOD_HABIT.pptxGOOD_HABIT.pptx
GOOD_HABIT.pptx
 

Recently uploaded

Leveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit InnovationLeveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit Innovation
TechSoup
 
Stack Memory Organization of 8086 Microprocessor
Stack Memory Organization of 8086 MicroprocessorStack Memory Organization of 8086 Microprocessor
Stack Memory Organization of 8086 Microprocessor
JomonJoseph58
 
Film vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movieFilm vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movie
Nicholas Montgomery
 
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptxBIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
RidwanHassanYusuf
 
How to Make a Field Mandatory in Odoo 17
How to Make a Field Mandatory in Odoo 17How to Make a Field Mandatory in Odoo 17
How to Make a Field Mandatory in Odoo 17
Celine George
 
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
PECB
 
How to deliver Powerpoint Presentations.pptx
How to deliver Powerpoint  Presentations.pptxHow to deliver Powerpoint  Presentations.pptx
How to deliver Powerpoint Presentations.pptx
HajraNaeem15
 
Wound healing PPT
Wound healing PPTWound healing PPT
Wound healing PPT
Jyoti Chand
 
Temple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation resultsTemple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation results
Krassimira Luka
 
writing about opinions about Australia the movie
writing about opinions about Australia the moviewriting about opinions about Australia the movie
writing about opinions about Australia the movie
Nicholas Montgomery
 
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptxBeyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
EduSkills OECD
 
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptxPengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Fajar Baskoro
 
Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...
PsychoTech Services
 
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A  Nation In the Making 1872 - 1900 SML.pptLevel 3 NCEA - NZ: A  Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
Henry Hollis
 
Pharmaceutics Pharmaceuticals best of brub
Pharmaceutics Pharmaceuticals best of brubPharmaceutics Pharmaceuticals best of brub
Pharmaceutics Pharmaceuticals best of brub
danielkiash986
 
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptxC1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
mulvey2
 
Walmart Business+ and Spark Good for Nonprofits.pdf
Walmart Business+ and Spark Good for Nonprofits.pdfWalmart Business+ and Spark Good for Nonprofits.pdf
Walmart Business+ and Spark Good for Nonprofits.pdf
TechSoup
 
HYPERTENSION - SLIDE SHARE PRESENTATION.
HYPERTENSION - SLIDE SHARE PRESENTATION.HYPERTENSION - SLIDE SHARE PRESENTATION.
HYPERTENSION - SLIDE SHARE PRESENTATION.
deepaannamalai16
 
BBR 2024 Summer Sessions Interview Training
BBR  2024 Summer Sessions Interview TrainingBBR  2024 Summer Sessions Interview Training
BBR 2024 Summer Sessions Interview Training
Katrina Pritchard
 
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UPLAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
RAHUL
 

Recently uploaded (20)

Leveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit InnovationLeveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit Innovation
 
Stack Memory Organization of 8086 Microprocessor
Stack Memory Organization of 8086 MicroprocessorStack Memory Organization of 8086 Microprocessor
Stack Memory Organization of 8086 Microprocessor
 
Film vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movieFilm vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movie
 
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptxBIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
 
How to Make a Field Mandatory in Odoo 17
How to Make a Field Mandatory in Odoo 17How to Make a Field Mandatory in Odoo 17
How to Make a Field Mandatory in Odoo 17
 
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
 
How to deliver Powerpoint Presentations.pptx
How to deliver Powerpoint  Presentations.pptxHow to deliver Powerpoint  Presentations.pptx
How to deliver Powerpoint Presentations.pptx
 
Wound healing PPT
Wound healing PPTWound healing PPT
Wound healing PPT
 
Temple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation resultsTemple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation results
 
writing about opinions about Australia the movie
writing about opinions about Australia the moviewriting about opinions about Australia the movie
writing about opinions about Australia the movie
 
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptxBeyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
 
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptxPengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
 
Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...
 
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A  Nation In the Making 1872 - 1900 SML.pptLevel 3 NCEA - NZ: A  Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
 
Pharmaceutics Pharmaceuticals best of brub
Pharmaceutics Pharmaceuticals best of brubPharmaceutics Pharmaceuticals best of brub
Pharmaceutics Pharmaceuticals best of brub
 
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptxC1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
 
Walmart Business+ and Spark Good for Nonprofits.pdf
Walmart Business+ and Spark Good for Nonprofits.pdfWalmart Business+ and Spark Good for Nonprofits.pdf
Walmart Business+ and Spark Good for Nonprofits.pdf
 
HYPERTENSION - SLIDE SHARE PRESENTATION.
HYPERTENSION - SLIDE SHARE PRESENTATION.HYPERTENSION - SLIDE SHARE PRESENTATION.
HYPERTENSION - SLIDE SHARE PRESENTATION.
 
BBR 2024 Summer Sessions Interview Training
BBR  2024 Summer Sessions Interview TrainingBBR  2024 Summer Sessions Interview Training
BBR 2024 Summer Sessions Interview Training
 
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UPLAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
 

Security Misconfiguration.pptx

  • 2. Introduction to Security Misconfiguration o Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure. o This happens when the system administrators, DBAs or developers leave security holes in the configuration. o Good security required proper configuration of systems. oThe effects of misconfiguration can be non-threatening but also can lead service outage , loss of sensitive data and other serious problems.
  • 3.
  • 4. Where? Security misconfiguration may happen any of the following levels: Operating system or platform Web server Application server Database server Framework Custom code
  • 5. Impact Can be severe Partial or full data loss Data modification Compromise of full system Expensive recovery
  • 6. How to test for a security misconfiguration Automated Scanners are useful for detecting misconfigurations, use of default accounts or configurations, unnecessary services, legacy options, etc. Using Burp to Test for Security Misconfiguration Issues: Application misconfiguration attacks exploit configuration weaknesses found in web applications. Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, and framework.
  • 7. Cause: Inadvertent use of default options Default options are always an easy target for hackers. It is very common that users often do not change their default password or do not delete default user ID. Some applications come with default port number as well. Examples: Oracle database default installation includes default user id and password User/schema: scott, password: tiger and default port number 1521
  • 8. Cause: Excess debugging information Revealing too much debugging information is a very common misconfiguration problem. This usually does not result directly to exploitation of a system. Attackers can collect extra information, such as the internal working of an application and version numbers. Attackers can use this excessive debugging information to craft SQL to perform a SQL injection attack. Also, when applications fail to perform an action, they can leak sensitive information.
  • 9. Cause: Improper Policy or Role Configuration Role misconfiguration is another leading cause of web application misconfiguration. This causes groups or roles to access settings or records that were not intended for them.There are many reasons for role misconfigurations. Complex business roles and polices can be blamed for role misconfiguration. Example: allowing admin staff to view human resource data.
  • 10. Cause: Human Mistakes Human mistakes are frequent and unavoidable and can account for up to 43% of all system failures. Operator error is the main reason for downtime for large websites, such as Google, MSN, andYahoo. Proper interfaces and good design can drastically reduce operator mistakes. Poorly designed application interfaces and too tight restriction may force user to attempt or bypass security then they need to accomplish a goal.
  • 11. Prevention: Basic Policies •Do not use default credentials. •Avoid default installations. •Maintain consistency of configuration between versions. •Restrict default configuration options. •Avoid default port numbers. •Restrict roles and privileges. •Centralize configuration as much as possible. •Scans and audits. •Strong encryption.
  • 12. Prevention: Secure coding and code review •Design application functionality with security in mind. •Extends development time. •Practice defensive coding. •Review codes to ensure security properties. •Stay up to date with coding standards compliance. Consistent design and implementation. •Finding security issues/bugs early.
  • 13. Solution: Patching and Education  Keep applications up to date. Apply vendor patches on time. Apply critical security and vulnerability regularly. Educate developers, administrators, and testers. Participate security training. Attend security conferences. Subscribe to vendor’s security alert.
  • 14. Conclusion Security misconfiguration or poorly configured security controls, could allow malicious users to change your website, obtain unauthorized access, compromise files, or perform other unintended actions. Risk:The prevalence of web application misconfiguration is very high in IT industry. • Priority: Safeguarding web application from malicious users and attacks.
  • 16. Thank You You can find me at: ▫ @https://www.linkedin.com/in/ Kalyani-raut-29756a10a ▫ kalyaniraut97@gmail.com Thanks ! ANY QUESTIONS?