Word Notes 12.21.21
Ep 81 | 12.21.21

OWASP security misconfiguration (noun)


Rick Howard: The word is: OWASP security misconfiguration.  

Rick Howard: Spelled: O for open, W for web, A for application, S for security, P for project, security for safeguarding data, and misconfiguration for configuring hardware and software in a way that creates a vulnerability.  

Rick Howard: Definition: The state of a web application when it's vulnerable to attack due to an insecure configuration.  

Rick Howard: Example sentence: Using vendor-supplied defaults for system accounts and passwords is a common security misconfiguration, and may allow attackers to gain unauthorized access to the system. 

Rick Howard: Origin and context: Dave Wickers and Jeff Williams working for Aspect Security, a software consulting company, published an education piece in 2003 on the top software security coding issues of the day. That eventually turned into the OWASP Top 10, a reference document describing the most critical security concerns for web applications.  

Rick Howard: Today, OWASP is an international team of security professionals led by the Foundation Executive Director and Top 10 project leader, Andrew van der Stock, dedicated to enabling organizations to develop, purchase and maintain applications and API APIs that can be trusted. Today, there are tens of thousands of members and hundreds of chapters worldwide. And the OWASP 2021 Top 10 vulnerabilities list, the committee moves security misconfiguration from the number 6 slot to number 5.  

Rick Howard: It results primarily from human error, not the technology that the humans installed. In other words, the technology works fine, but the humans failed to configure it securely. Examples include running systems using default passwords and default configuration files, leaving unwanted services running that you have no intention of using, and leaving debugging mode on.  

Rick Howard: To reduce the probability of these kinds of errors, follow a zero trust strategy and reduce the attack surface. Tactically, consider disabling administration interfaces, restricting access to directory listings, and periodically running audit scripts that check configuration settings. The key here is automation. Once you decide the tactics you need, automate the process of checking the settings, and if necessary because of human error, changing the settings back to the proper configuration.  

Rick Howard: Nerd reference: In the 2001 blockbuster, "The Lord of the Rings: The Fellowship of the Ring," Gandalf played by Ian McKellen leads the fellowship to the Mines of Moria in an effort to evade the mountain trail made impassable due to the evil wizard Saruman’s weather spells. At the entrance, the dwarves have cleverly stopped unwanted visitors by password-protecting the gate. And Merry, played by Dominic Monaghan asks how the fellowship will get in.  

Ian McKellen: It reads, the doors of Dorine, Lord of Moria, speak friend and enter. What do you suppose that means? It's quite simple. If you are a friend, you speak the password. And the doors will open. 

Rick Howard: Clearly Gandalf doesn't know the password. And then Frodo, played by Elijah Wood, discovers the built-in backdoor, the Dwarvian default password, the previously undiscovered security misconfiguration, if you will, that let's the fellowship into the Mines of Moria.  

Elijah Wood: It's a riddle. Speak friend and enter. What's the Elvish word for friend? Mellon! 

Rick Howard: I will leave it as an exercise to the listener to discover how an Elvish default password opens a secret gate to a Dwarvian mine. 

Rick Howard: Word Notes is written by Nyla Gennaoui, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.