What is security misconfiguration?

- [Instructor] In order to understand the concept of security misconfiguration, it is helpful to first discuss the definition of the term configuration. A dictionary definition is as follows, an arrangement of elements in a particular form, figure or combination. Developing web applications is fundamentally an exercise of organizing building blocks in a particular way to achieve a specific outcome. Sometimes I like to think of software engineering as a massive Lego project. This vulnerability category is about the idea that some configurations for web applications are more secure than others, and we as technology professionals should intentionally choose and support secure configurations while decreasing our use of insecure configurations. Does your smartphone require a passcode or biometric like facial recognition or your fingerprint in order to use it? If it does, that's a secure configuration. If it does not, pause this video and set one up right now. I'm serious. It's that important. (theatrical music) Do you have your phone set to automatically back up your data on a regular basis? Are you notified when software updates are available? Just like our phones, web applications have dozens and dozens of different settings. Each and every single one is an opportunity to choose a configuration and some configurations are more secure than others. It's important to recognize that even configurations which you do not consciously choose, also known as default settings or the settings which are chosen by default when you first open up your new smartphone and take it out of the box, are still configuration choices that have a definitive impact on your risk profile. 80% of the breaches described in the Basic Web Application Attacks section of the 2022 Verizon Data Breach Investigations Report have to do with stolen credentials. You know what are some of the easiest credentials to steal? Default credentials that never get changed, like when the password to access an admin account is the word admin. Another really easy way to steal credentials is to find them just laying around for anyone who can access the public-facing internet to take. An Amazon Web Services AWS S3 bucket is kind of like a file folder that's stored in the cloud on the internet. If credentials are stored in an S3 bucket and that S3 bucket is not protected by proper authentication, then they're available for anyone to access, view, and compromise. These are just a couple of common examples of security misconfigurations. In order to prevent these vulnerabilities from being exploited in an attack, someone has to make the intentional decision to change the configuration from an insecure setting to a more secure one.