Security Misconfiguration – The #5 Web Application Security Risk

Security misconfiguration has become one of the top security risks faced by organizations today. According to recent data, misconfigured systems and software now account for over 20% of reported vulnerabilities. This post explores why security misconfigurations are on the rise and provides recommendations on how to mitigate this risk.

CWEs Mapped 20
Max Incidence Rate 2019.84%
Avg Incidence Rate 4.51%
Avg Weighted Exploit 8.12
Avg Weighted Impact 6.56
Max Coverage 89.58%
Avg Coverage 44.84%
Total Occurrences 208,387
Total CVEs 789

A05:2021 – Security Misconfiguration

Why Misconfigurations are Increasing?

There are a few key reasons why improperly configured systems have become more prevalent:

  • Complex IT environments – With cloud computing, containers, IoT devices and more in the mix, IT environments are more complex than ever. This complexity makes it harder to properly secure every component. Just one mistake can open the door for attackers.

  • More access controls – To protect data, more access controls like permissions, authentication and encryption keys are being implemented. But if even one access control is misconfigured, data could be exposed.

  • Rushing to the cloud – In the rush to adopt cloud platforms, many organizations overlook security in favor of speed and agility. Critical cloud resources end up with public access or weak identity and access controls.

  • Lack of security knowledge – Many developers and IT admins lack expertise in security concepts. As a result, they end up enabling insecure defaults or introducing risky configurations unknowingly.

These factors and others have created a perfect storm for configuration-related vulnerabilities. Attackers are quick to take advantage of these oversights using automated tools.

See also  How To Fix CVE-2022-39952 & CVE-2021-42756- Two Critical Arbitrary Code Execution Vulnerabilities in Fortinet Products

Risks of Insecure Configurations

The risks posed by poor configurations are diverse, including:

  • Exposure of sensitive data

  • Data breaches

  • Unauthorized access

  • System exploitation

  • Malware infections

  • DDoS attacks

  • Compliance violations

Attackers know that exploiting misconfigurations require less effort than finding software bugs. So they actively scan for misconfigured systems and move quickly once found.

How to Reduce Configuration Risks?

Thankfully, security misconfiguration risks can be significantly reduced by taking three key steps:

  1. Utilize configuration benchmarks – Industry groups like CIS provide detailed configuration guides for all major platforms to enable security by default.

  2. **Perform audits ** – Use tools like policy-based configuration scanners to proactively audit configurations and get alerts on insecure settings.

  3. Improve processes – Add security reviews to DevOps pipelines and change approval processes to catch errors before deployment.

Many challenges contribute to increased configuration risks today, but staying on top of system hardening, auditing configurations proactively and improving security visibility through process changes can help get this risk under control.

Organizations that dedicate focus to securing configurations and access controls will gain an important competitive edge over peers and be able to operate safely despite a complex IT landscape.

Leave a Reply

Your email address will not be published. Required fields are marked *