Security - Misconfiguration
https://www.owasp.org/index.php/Testing_for_configuration_management
https://www.owasp.org/index.php/Testing_for_Error_Code_(OTG-ERR-001)
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
https://www.owasp.org/index.php/ASVS_V19_Configuration
https://csrc.nist.gov/publications/detail/sp/800-123/final
https://cwe.mitre.org/data/definitions/2.html
https://cwe.mitre.org/data/definitions/16.html
https://cwe.mitre.org/data/definitions/388.html
https://www.cisecurity.org/cis-benchmarks/
https://blog.websecurify.com/2017/10/aws-s3-bucket-discovery.html
// Security - Misconfiguration:
To Prevent 'Security Misconfiguration':
1. A repeatable hardening process that makes it fast and easy to deploy
another environment that is properly locked down. Development, QA, and
production environments should all be configured identically (with different
passwords used in each environment). This process should be automated to
minimize the effort required to setup a new secure environment.
2. A process for keeping abreast of and deploying all new software updates and
patches in a timely manner to each deployed environment. This needs to
include all code libraries as well (see new A9).
3. A strong application architecture that provides effective, secure separation
between components.
4. Consider running scans and doing audits periodically to help detect future
misconfigurations or missing patches.
page revision: 1, last edited: 29 Jul 2018 00:12