Security - Misconfiguration

security

https://www.owasp.org/index.php/Testing_for_configuration_management
https://www.owasp.org/index.php/Testing_for_Error_Code_(OTG-ERR-001)
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
https://www.owasp.org/index.php/ASVS_V19_Configuration
https://csrc.nist.gov/publications/detail/sp/800-123/final
https://cwe.mitre.org/data/definitions/2.html
https://cwe.mitre.org/data/definitions/16.html
https://cwe.mitre.org/data/definitions/388.html
https://www.cisecurity.org/cis-benchmarks/
https://blog.websecurify.com/2017/10/aws-s3-bucket-discovery.html

// Security - Misconfiguration:

To Prevent 'Security Misconfiguration':

1. A repeatable hardening process that makes it fast and easy to deploy 
   another environment that is properly locked down. Development, QA, and 
   production environments should all be configured identically (with different 
   passwords used in each environment). This process should be automated to 
   minimize the effort required to setup a new secure environment.

2. A process for keeping abreast of and deploying all new software updates and 
   patches in a timely manner to each deployed environment. This needs to 
   include all code libraries as well (see new A9).

3. A strong application architecture that provides effective, secure separation 
   between components.

4. Consider running scans and doing audits periodically to help detect future 
   misconfigurations or missing patches.
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License