OWASP #5 (2021) – Security Misconfiguration

Security Misconfiguration happens when systems are deployed with insecure settings - or when default settings aren’t changed at all. This is one of the most common and avoidable issues.

Examples include: - Leaving default admin credentials enabled. - Unpatched software or exposed debug endpoints. - Overly detailed error messages showing stack traces or file paths. - Open cloud storage buckets or unrestricted ports. - Features enabled that aren’t needed (e.g., verbose logging in production).

The problem here isn’t complex vulnerabilities - it’s lack of hardening. Developers, ops, and security teams often assume defaults are "good enough," but they rarely are.

Attackers love misconfigurations because they’re easy to find and usually give direct access to systems, data, or internal tools.

To prevent this: - Review and lock down environment settings before deploying. - Disable unused features, services, and accounts. - Automate security checks and infrastructure scans. - Apply the principle of least privilege across the stack.

Secure configuration is low-effort, high-impact - and still too often overlooked.