Main takeaways from this article:
Security misconfigurations occur when systems, applications, or data have incorrect settings, making them vulnerable to attacks or exposing sensitive resources.
Misconfigurations rank A5:2021 on the OWASP Top 10 list, highlighting their role as a major security risk, even more severe than outdated software in some cases.
Types of misconfigurations include leaving default credentials unchanged, failing to secure environments, exposing excessive error details, and enabling unused features.
Misconfigurations can lead to data breaches, unauthorized access, expanded attack surfaces, service downtime, fines for regulatory violations, and damaged reputations.
Regular updates, system hardening, strong access controls, secure coding practices, and using CSPM tools can effectively prevent misconfigurations.
What is a security misconfiguration?
A security misconfiguration is when incorrect security settings are applied to devices, applications, or data in your infrastructure. Misconfigured security settings usually introduce vulnerabilities or cause sensitive resources and actions to be exposed to unprivileged users.
How do security misconfigurations happen?
Misconfigurations can occur for many different reasons, including:
Human error during manual setup and configuration.
Default settings on credentials, certificates, or installation settings.
Outdated and unpatched software with vulnerabilities.
Overly permissive access to users, apps, or services.
Exposed access keys that are improperly secured.
Unrestricted network access due to a misconfigured firewall, open port, or insecure API.
These mistakes are often a combination of a human mistake and a lack of security measures to catch it. For example, setting an incorrect IAM policy on an AWS S3 bucket could unintentionally make your files accessible to a broader audience than intended.
This type of misconfiguration is often the result of the complexity of IAM policies, overlooking permissions or public access settings, insufficient testing, and a fast-paced and high pressure work environment.
What is the OWASP Top 10 A5:2021?
The latest edition of OWASP's Top 10 report, a study that analyzes common categories of security problems, found that security misconfigurations are currently the fifth most serious risk to web applications. Accordingly, they’ve gained the OWASP classification A5:2021 (the categories are labeled A1–A10 by severity).
This means misconfigurations pose a bigger threat than outdated dependencies, data integrity failures, and staple attack techniques such as SSRF. OWASP reported that 4% of tested applications were found to be misconfigured for security in some way.
Types of security misconfigurations
Security misconfigurations can occur for several different reasons. Yet no matter the reason, the end result is that inappropriate settings or inaction on the part of development teams causes a weakening of your security posture.
Here are the most common kinds of misconfigurations:
Accepting default settings
Default configurations seem convenient, but they're frequently a security risk. Not changing the default credentials for your apps, services, and infrastructure can allow attackers to gain access using predictable values, for example. Applications frequently provision accounts using default credentials that are publicly available in their documentation or open source code; as a result, attackers will target deployments of these apps as there’s a chance the known credentials will still be in use.
Similarly, systems should be properly configured with production-ready encryption, signing, and certificate keys before they're deployed into your environments. That’s why it’s a good idea to implement a solution that can detect misconfigurations in popular application components such as databases and secrets stores.
Wiz data shows that about 20% of all organizations have at least one misconfigured application that can lead to either RCE or information disclosure.
Failing to harden environments
Even software that's billed as production-ready out of the box can benefit from additional hardening steps that close loopholes and reduce your attack surface. Kubernetes, for example, has been the subject of multiple hardening guides, such as this one from the NSA and CISA, and has dedicated security management strategies that you should implement to get the best protection.
Noisy logs and error reports
During development, engineers often configure apps to write extra information into their logs and error reports. Though it assists debugging efforts, including this low-level technical info can pose a security threat if the logging level isn't reduced before deployment.
Web applications are particularly vulnerable because logs and stack traces can end up being displayed in a user's browser. This information could be helpful to attackers wanting to understand how your system functions; it may also directly expose sensitive information, such as when user details are included in the logs.
Advanced Cloud Security Best Practices [Cheat Sheet]
The cloud security cheat sheet combines theory with real-world impact analysis, provides actionable steps, and even delves into hands-on code snippets for those who prefer a direct approach.
Download Now
Failing to patch applications and systems
The use of outdated systems isn’t always classified as a misconfiguration—OWASP treats it as a separate issue. However, relying on older versions with known vulnerabilities, such as legacy SSL/TLS protocols or weak cryptographic ciphers, becomes a misconfiguration when security patches are available but not applied. Similarly, upgrading to newer software without enabling updated security features is another misconfiguration that can weaken your overall security posture.
Enabling unused features
The extent of your potential attack surface ultimately depends on the number of apps, services, and features you use. Keeping unused features enabled increases your risk without contributing any value to your organization.
Apps that include optional network capabilities are especially susceptible to this problem. For instance, Docker can be configured to expose a daemon socket that allows remote interactions with your installation. If you don't actually need remote access to your Docker host, this option is best left disabled so it can't possibly be abused by attackers. Using host-level tools to enforce OS-level configuration requirements is one way to prevent your attack surface from being widened by unused features that have been left enabled.
Improper access controls
Granting a user account too many permissions, forgetting to secure a resource, and implementing insecure authentication systems (such as not using MFA requirements) all create a risk that bad actors could manipulate your data or infrastructure. To mitigate this risk, use a CSPM solution that can enforce consistent access control requirements.
Consequences of security misconfiguration
Security misconfigurations can open the door to serious risks, from data breaches to reputational harm. These issues often result from avoidable errors like weak access controls, unpatched systems, or unnecessary features being enabled. Let’s explore how these oversights can impact organizations:
Data breaches: Imagine sensitive customer data sitting in an unencrypted database or accessible due to misconfigured permissions. These mistakes can lead to data breaches, where attackers exploit exposed information for financial gain or to fuel larger attacks. The fallout isn’t just about lost data—regulatory fines, legal fees, and recovery efforts can cost millions and disrupt business operations for months.
Unauthorized access: Missteps such as overly permissive access controls or weak authentication can allow attackers to gain unauthorized access to critical systems. Once they infiltrate, attackers may steal data, escalate privileges, or leverage the compromised system to launch additional breaches. These actions undermine security and can disrupt your organization's operations significantly.
Increased attack surface: Every misconfiguration—be it an exposed API, open port, or unpatched system—broadens your attack surface, creating new opportunities for attackers. Reducing these unnecessary exposures is critical. By regularly reviewing and securing entry points, organizations can limit the vectors available for potential exploits.
Service downtime: Network misconfigurations, improper load balancer settings, or unchecked changes can lead to outages. For industries like healthcare or financial services, downtime doesn’t just mean inconvenience—it affects critical operations, erodes customer trust, and can lead to significant financial losses.
Regulatory non-compliance: Failing to secure sensitive data can violate regulations like GDPR or HIPAA, triggering audits, fines, and legal consequences. Beyond the financial penalties, non-compliance can strain resources and erode relationships with stakeholders who depend on your organization’s reliability.
Reputational damage: A single security incident caused by a misconfiguration can tarnish a company’s reputation. Breaches often dominate headlines, causing customers and partners to question your reliability. Repairing lost trust takes time and can impact your ability to grow or maintain business relationships.
Real-world examples of security misconfigurations
Think that security misconfigurations are just theoretical issues that nobody actually encounters? Then it's time to think again. As the following section demonstrates, several major security incidents were caused by a relatively simple misconfiguration:
BingBang: Compromising internal Microsoft apps
BingBang is the name for a common security misconfiguration Wiz found in Microsoft's Azure Active Directory identity management system. We discovered that around 25% of multi-tenant Azure applications were affected by the problem, including many first-party Microsoft apps. The apps had incorrect multi-tenancy settings applied that allowed logins using a Microsoft account belonging to another Azure tenant.
Hell's Keychain: Unauthorized access to IBM PostgreSQL databases
In December 2022, we demonstrated how a privilege escalation vulnerability in popular database engine PostgreSQL could be used to gain internal access to IBM Cloud resources—which could include databases owned by other IBM customers.
Unauthorized access was possible due to the presence of three improperly exposed secrets, in addition to overly permissive access to IBM's build servers. A SQL injection vulnerability allowed researchers to escape their database instance and move into the Kubernetes cluster that hosted it. From there, an exposed Kubernetes service account token facilitated further jumps into private areas.
ChaosDB: Unrestricted access to Azure databases
Back in 2021, we shared an attack that allowed access to other customers’ Azure accounts and data. A series of misconfigurations in Microsoft's Cosmos DB managed database service revealed secret keys that could be used to effect a string of privilege escalations. Those keys, granting full admin access, should never have been directly exposed to customers but were accessible for months or possibly years.
Best practices to prevent security misconfigurations
The following steps are relatively simple measures that will allow you to take control of your security configurations:
Regularly update software and review hardening guides
Keeping software updated helps ensure you're not unintentionally using outdated, insecure, or deprecated features that keep you at risk. But as we've discussed above, this isn't enough to ensure maximum protection. You must also make conscious efforts to harden your environment, such as by disabling unused features and adhering to any vendor-provided security guides.
Practice secure coding methods
Developers must utilize secure coding practices to prevent misconfiguration issues that stem from your source. Hardcoded secrets (such as passwords and API keys), excessively verbose logs, missing encryption for sensitive data, and convoluted software supply chains are all issues that developers can take ownership of.
Code should also be subject to static and dynamic security tests that are configured as part of automated CI/CD pipelines, preventing detectable security vulnerabilities from ever being deployed.
State of the Cloud 2023
The Wiz Threat Research team looks back on the past year to highlight trends and the state of cloud usage based on visibility across our customer base.
Get Report
Implement strong access controls
Correct use of access controls is vital to keep your data and infrastructure protected. You should follow best practices such as the principle of least privilege to avoid the dangers of over-privileged accounts. Similarly, access tokens should be scoped to specific resources and assigned short, non-renewable expiration times that make it harder for attackers to gain persistent control of your systems.
Over 90% of cloud security teams were not aware they gave high permissions to 3rd party vendors.
Wiz Research Team's study of 1,300 AWS accounts
Implement a threat awareness program
Educating developers, users, and executives about the threats posed by misconfigurations—and how easily they can occur—is one of the best long-term initiatives you can pursue. Creating a threat awareness program will support individuals in understanding what they should do to protect themselves and their organization. When people know to question the default settings, they'll be much more likely to actually harden new applications they deploy.
Use a CSPM solution
Get comprehensive long-term protection by selecting a dedicated cloud security posture management (CSPM) tool. CSPM comprises tools and processes that give you visibility into your organization's security, including the ability to detect and resolve dangerous misconfigurations. CSPM platforms support your security stance by automatically scanning for misconfiguration vulnerabilities, enforcing your policies, and providing alerts when new threats are detected.
Mitigate risks with Wiz
Security misconfigurations occur when inappropriate or incorrect settings are applied to software systems and their environments. We've covered several different types of these misconfigurations above, as well as best practices you can use to prevent them from appearing in your own infrastructure.
For the greatest security protection, use a CSPM platform that detects, alerts, and prevents misconfigurations in real-time, based on policies and rules you define. Here at Wiz, we provide contextual CSPM for your entire cloud infrastructure. Want complete visibility and control over your cloud security? Get a demo today.
Take Control of Your Cloud Misconfigurations
See how Wiz reduces alert fatigue by contextualizing your misconfigurations to focus on risks that actually matter.
