Properly Configure Components
After completing this unit, you’ll be able to:
- Describe the importance of properly configuring components.
- Describe the role of an application security engineer in minimizing the potential impact of security misconfiguration.
Configure Components Properly
In addition to validating, sanitizing, and testing and reviewing code, application security engineers secure the SDLC by protecting against security misconfiguration. Security misconfiguration involves failing to securely configure, patch, and upgrade operating systems, coding frameworks, libraries, and applications.
Examples include deploying an operating system with an insecure default configuration, leaving cloud storage buckets open to public view, or failing to configure error messages properly, resulting in exposing sensitive system information to attackers.
This provides attackers with unauthorized access to system data or functionality. Attackers can easily exploit security misconfiguration, a widespread security problem. Attackers are often aware of unpatched security flaws and default account credentials, which they can use to gain unauthorized access to a company and its customers’ data.
Protect Against Security Misconfiguration
Imagine a customer who has just bought a new smartphone. Upon turning on the phone for the first time, the customer tinkers with the settings to ensure everything is set up just right. They may set up a personal PIN or thumbprint to use when they log onto the phone. They download and update some new software in order to use the latest applications. They delete default applications they don’t often use, and change the language, time settings, and background of the phone.
Just as a customer tinkers with the settings to configure their phone to their personal preferences, an application security engineer works with a development team to tweak the settings on application components to ensure they function properly and securely.
Engineers eliminate default accounts and passwords. They work with the development and operations teams to ensure that the software used by the application is up to date and properly patched. They review whether permissions in cloud services have been properly configured so that sensitive data is not accidentally viewable by the public. They disable or uninstall unnecessary features, such as ports, services and pages, since an attacker could use these openings to gain access to the application.
In doing so, the application security engineer ensures the following.
- The organization uses a concerted, repeatable application security configuration process.
- Development teams use identical development, quality assurance (QA), and production environments to maintain consistency between the environment in which developers develop and test the application and the environment in which they deploy the application.
- Automation of verification and testing of configuration settings, in order to reduce human error and improve the speed and efficiency of the development process.
For more information on testing for configuration management, see the OWASP resource which offers a wealth of additional details.
Sum It Up
You’ve been introduced to strategies to help harden the application stack by standardizing and securing configurations. Now it’s time to learn more about another key consideration for an application security engineer: protecting application authentication and access.