![OWASP security misconfiguration (noun) [Word Notes] - Hacking Humans cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2Fc8f3a8da-246d-11f0-90d3-6fd68a7227ed%2Fimage%2F441b0ca2db080b93b935568d381ce462.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1920&q=75)
Transcript
Rick Howard (0:02)
You're listening to the Cyberwire Network, powered by N2K.
Peter Kilpe (0:12)
Cyber threats are evolving every second, and staying ahead is more than just a challenge, It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant.
Rick Howard (0:56)
The word is OWASP security misconfiguration spelled O for open, W for Web, A for application, S for security, P for project security for safeguarding data, and misconfiguration for configuring hardware and software in a way that creates a vulnerability the state of a Web application when it's vulnerable to attack due to an insecure configuration. Example sentence using vendor supply defaults for system accounts and passwords is a common security misconfiguration and may allow attackers to gain unauthorized access to the system origin and context. Dave Wickers and Jeff Williams, working for Aspect Security, a software consulting company, published an education piece in 2003 on the top software security coding issues of the day that eventually turned into the OWASP top 10, a reference document describing the most critical security concerns for Web applications. Today, OWASP is an international team of security professionals led by the foundation executive director and top 10 project leader, Andrew van der Stock, dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. Today, there are tens of thousands of members and hundreds of chapters worldwide. In the OWASP 2021 Top 10 vulnerabilities list, the committee moves security misconfiguration by from the number six slot to number five. It results primarily from human error, not the technology that the humans installed. In other words, the technology works fine, but the humans failed to configure it securely. Examples include running systems using default passwords and default configuration files, leaving unwanted services running that you have no intention of using, and leaving debugging mode on. To reduce the probability of these kinds of errors, follow a zero trust strategy and reduce the attack surface tactically. Consider disabling administration interfaces, restricting access to directory listings, and periodically running audit scripts that check configuration settings. The key here is automation. Once you decide the tactics you need, automate the process of checking the settings and, if necessary because of human error, change the settings back to the proper configuration. Nerd reference. In the 2001 blockbuster the Lord of the the Fellowship of the Ring Gandalf, played by Ian McKellen, leads the fellowship to the mines of Moria in an effort to evade the mountain trail made impassable due to the evil wizard Saruman's weather spells at the entrance. The dwarves have cleverly stopped unwanted visitors by password protecting the gate, and Mary, played by Dominic Monaghan, asks how the Fellowship will get in.