A6: Security Misconfiguration

App Specific

Attackers will often attempt to exploit unpatched flaws or access default accounts, unused pages, unprotected files and directories, etc to gain unauthorized access or knowledge of the system.

Prevalence

Security misconfiguration can happen at any level of an application stack, including the network services, platform, web server, application server, database, frameworks, custom code, and pre-installed virtual machines, containers, or storage.

Automated scanners are useful for detecting misconfigurations, use of default accounts or configurations, unnecessary services, legacy options, etc.

Technical

Such flaws frequently give attackers unauthorized access to some system data or functionality. Occasionally, such flaws result in a complete system compromise. The business impact depends on the protection needs of the application and data.

The application might be vulnerable if the application is:

Missing appropriate security hardening across any part of the application stack, or improperly configured permissions on cloud services.
Unnecessary features are enabled or installed (e.g. unnecessary ports, services, pages, accounts, or privileges).
Default accounts and their passwords still enabled and unchanged.
Error handling reveals stack traces or other overly informative error messages to users.
For upgraded systems, latest security features are disabled or not configured securely.
The security settings in the application servers, application frameworks (e.g. Struts, Spring, ASP.NET), libraries, databases, etc. not set to secure values.
The server does not send security headers or directives or they are not set to secure values
The software is out of date or vulnerable

How to detect this security problem?

Valency Networks technical team is highly capable of running app scans and also perform manual vulnerability assessment to find this security problem. We can also help you re-design the code component or provide inputs towards successful fixation.

What Our Customers Say?

Valency Networks is a very techie company, focusing on a continuous improvement in service quality. Our customers like us exactly for that and that helps us keep our quality to the best extent.

Valency Networks is our only preferred vendor because the way they find vulnerabilities in our network is par excellence. We hired them on a long term contract to top up our perimeter and wish to continue with them.

CTO

Fortune 50 Manufaturing Company, Pune

Hardly goes a day when I have not learnt anything new in cyber security space and IT technologies.

Team-mate

for 6+ yrs

Working at Valency Networks helps me gain great knowledge everyday.

Team-mate,

for 3+ yrs

A6: Security Misconfiguration

App Specific

Prevalence

Technical

Missing appropriate security hardening across any part of the application stack, or improperly configured permissions on cloud services.

Unnecessary features are enabled or installed (e.g. unnecessary ports, services, pages, accounts, or privileges).

Default accounts and their passwords still enabled and unchanged.

Error handling reveals stack traces or other overly informative error messages to users.

For upgraded systems, latest security features are disabled or not configured securely.

The security settings in the application servers, application frameworks (e.g. Struts, Spring, ASP.NET), libraries, databases, etc. not set to secure values.

The server does not send security headers or directives or they are not set to secure values

The software is out of date or vulnerable

How to detect this security problem?