Configuration is an essential part of every application. Misconfiguration can happen at any level of the application stack. From code, to web and application servers, databases and frameworks.
Unfortunately, in most cases you will not found out your gaps until its too late.
Here are some of the most common issues our DevOps have encountered:
Deployment of development configuration to production
Development configuration can include tracing, unencrypted string connections, tests accounts with a week password descriptive error messaging and more. A malicious attacker will be able to use tracing or error messaging to gain access to unsecure accounts, compromising the application.
When deploying an application, make sure to use the correct set of configuration settings in your deployment scripts.
Failure to secure directories
Protected or private directories, are directories that are available only to confirmed application users, admins or to the application’s code. Protected directories might include sensitive information in the form of files and images or an account control panel.
3rd party applications installed on a production server
A production server that has additional applications installed on it, might pose a security. Some application have their own vulnerabilities and configuration. For example: some applications might need to use a port in the firewall that otherwise might be blocked.
Web serving source files
A web server that is not configured to run a technology in a desired endpoint might serve the file back to the client instead of executing it. This can include compiled class files, php code and more.
When a hacker has access to your source code, they will be able to access any aspect of your application stack.
Directory listing enabled
With directory listing enabled, an attacker can view all of the files on your web application. This can lead into sensitive files that are not linked from the application, viewed by the client.
Default accounts are not changed
If your default account is admin or test and you left your password as password, an attacker can easely guess them and log on to the application. Consider modifying all default accounts on all applications and servers.
A firewall that allows more ports than necessary to be open, or allows unauthorized hosts to connect to the server can result in an attacker gaining control over the server. For example: a database server that requires an open port in order to execute queries from the web server and neglects to restrict access to the open port. Any attacker can then connect to that ort and try and log onto the database, using brute force techniques.
Missing OS security patches
Neglecting to update your OS will result in an attacker utilizing security holes to gain control over your server. It is recommended to apply critical security patches immediately and have a regular maintenance interval for all OS updates. Regular updates should be tested in development before deployment to production to insure application compatibility.
Misconfiguration is a part of the OWASP Top ten most critical applications security risks. Here at Inverted Software we can assist you in evaluating your application’s security state and help in eliminating any gaps that might allow an attacker to compromise your software.
Need an evaluation of your eco system?
Contact us at: firstname.lastname@example.org