Sie möchten Snyk in Aktion erleben?
As software continues to become more complex, developers are taking on more responsibility with containers, infrastructure as code (IaC), and other modern application architecture design choices. That means development teams are increasingly responsible for securely configuring numerous aspects of cloud native applications as well.
Let’s take a closer look at security misconfigurations and the impact they have on application security. After that, we’ll dive into real world examples of how Capital One and Capgemini both faced enormous data breaches due to security misconfigurations. Finally, we’ll discuss the types of misconfigurations that can occur and how to prevent them using automated security tools.
A security misconfiguration is a failure to implement the proper security controls for an application, container, infrastructure, or any other software component. These misconfigurations can enable unauthorized access to system data and functionality, or in the worse case, a complete system failure. That’s why security misconfigurations are one of the top 10 web application security risks according to OWASP. Through security scanning, organizations can detect and remediate security misconfigurations in their source code and configuration files.
Most security misconfigurations occur when organizations fail to implement all the security controls recommended for a particular application component or default security settings are used. When developers fail to implement the principle of least privilege for accounts, administration interfaces, databases, and more, unwanted third parties could steal sensitive data. Since most security misconfigurations are introduced through human error, shifting to IaC and automation can help prevent many of these vulnerabilities.
Since security misconfigurations can occur within many different components of an application, there are numerous types of vulnerabilities. These include:
Using default credentials for cloud server instances, web servers, databases, and more
Failing to encrypt sensitive data like passwords, cryptographic keys, or API keys
Not following the principle of least privilege for limiting resource access rights
Allowing public traffic to unpublished URLs or other internal endpoints
Accidentally leaving files or directories unprotected
These are just a few examples of security misconfigurations, but they open organizations up to a wide range of attacks. Misconfigurations give threat actors an attack vector to perform many types of injection attacks like cross-site scripting (XSS), code or command injection, buffer overflow exploits, and more.
A common security misconfiguration with Java applications is related to error handling. Nearly every Java application will eventually throw an exception, which means an error has occurred during runtime. Normally, Java developers aim to catch these exceptions and handle them properly, but uncaught exceptions often expose internal information like the stack trace by default. Malicious actors can use this information to understand the internal workings of the application to execute a security misconfiguration attack.
New security misconfigurations are constantly discovered as new open source software is released. That’s why many automated security scanning tools leverage vulnerability databases that are up-to-date with newly disclosed security issues and misconfigurations. The Snyk Intel Vulnerability Database tracks vulnerability data from multiple sources to ensure development teams have maximum coverage (370% more vulnerabilities than the next largest commercial vulnerability database) and can detect issues before they become a problem.
Security misconfigurations may seem inconsequential on the surface, but they can introduce substantial business risk. In fact, a recent survey found that the top concern CISOs had with cloud production environments was security misconfigurations that could lead to a data breach.
Capital One data breach
Capital One’s data breach, where a former Amazon employee stole more than 100 million consumer applications for credit, exemplifies the enormous impact even a minor security misconfiguration can have. The cause was a misconfigured open source web application firewall (WAF), which could be tricked to hand out backend resource credentials with unnecessary permissions. This minor misconfiguration enabled the malicious actor to access and download sensitive data from an S3 bucket.
Capgemini data breach
Similarly, Capgemini exposed the personal data of millions of jobseekers by failing to adequately configure a database on an IT provider’s development server. This enabled an unauthorized third party to easily access the sensitive data through the public Internet. Malicious actors constantly scan the internet for low hanging fruit like misconfigured databases to exploit.
Many threat actors see security misconfigurations as easy targets because they can detect and exploit them using automated tools, and they’re prevalent in many of today’s cloud native applications. In fact, our recent State of Cloud Native Application Security survey revealed that 69% of developers and security professionals have dealt with misconfigurations and unpatched vulnerabilities within their applications.
Since so many applications are at risk of security misconfigurations, it’s crucial for organizations to implement automated processes for detecting and remediating these vulnerabilities during development. That way, organizations can remove human error from the equation and prevent many security misconfigurations from being introduced in the first place.
Snyk IaC enables developers to write secure configurations for Terraform, Kubernetes, Helm, and more. This will help organizations prevent IaC misconfigurations from ever reaching production, stopping security misconfiguration attacks before they can become a problem.
Snyk can also scan nearly every software component to detect security misconfigurations or vulnerabilities across the entire modern cloud native application stack. By offering remediation advice in context, developers can learn to apply secure development and configuration practices to continuously improve the security posture of their applications going forward.
Securing Front-end Attack Surfaces