Securing Your Configuration

Improper security configuration is one of the most commonly overlooked risks to your technology stack. If you leave your servers unsecured hackers can find vulnerable access points through simple Google searches.

Risks

Prevalence Common
Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354
Exploitability Easy
Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b
Impact Harmful
Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd

If an attacker can access your system via insecure configuration, they could:

  • Steal data. Attackers frequently steal sensitive client data like email addresses, passwords or credit card numbers.
  • Infect your servers. Compromised servers are often used to host spam-bots or other types of malware.
  • Abuse the trust your users have in your site. If a hacker can serve content under your security certificate, they have a reliable way to infect others.

Protection

Securing your software settings depends on understanding your software and enforcing best practices through good process management. You should:

  • Automate your build process. An ad-hoc build processes makes it easy for insecure software settings to slip through. Make sure you have a scripted, repeatable build process, so you know what software (and what versions) you are running at any given time.

  • Review new software components and disable default credentials as soon as possible. Each new library, toolkit and server introduces new security risks - ensure these are considered during your code reviews.

  • Clearly separate code and configuration. Environment-specific and sensitive configuration should be stored outside the codebase - either in configuration files or dedicated systems (like databases). Hard-coded credentials and backdoors open your site to being compromised.

  • Create dedicated accounts with appropriate privileges. Access to production servers and databases should follow the principle of least privilege. Users and processes should only have the permissions they require to function, and any escalation of privileges (for example, during release windows,) should be temporary and subject to formal review process.

  • Script your deployment process. Make sure deployment to staging and production systems is done through a repeatable, scripted process. You should know what version of your code is running on each environment - and be able to vouch that each environment is running the appropriate configuration. After each release, perform (at least a cursory) “smoke-test” to ensure the correct software and configuration got deployed.

  • Segregate environments. Production and staging environments should use different sets of credentials, since they will typicllay have different access levels. Try to ensure there is no network access between environments, so attackers cannot move sideways between environments with different access levels.

  • Add extra security for administrative systems. If possible, avoid opening your administrative tools to the internet at large. Prescribe a secure password policy for administrators, and ensure your team knows to take security seriously. Implement multi-factor authentication if feasible. Make sure you know who has access to what system, and have a plan in place for when access has to be revoked (for instance, if team-members leave).

Is Your Config Secure?

Netsparker n 834848961a0bf6ec5556448ff47f421d0b1204a572877a59717064b1088e8c43 Check today. Scan your website for Lax Security Settings and other vulnerabilities with the Netsparker Web Application Security Scanner.