Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe to our Newsletter
Try AppTrana WAAP (WAF)

How are Security Misconfigurations Detected, Diagnosed and Determined?

Posted DateAugust 26, 2020
Posted Time 4   min Read

Security misconfigurations, one of the OWASP Top 10 Vulnerabilities, are known to erode the security posture immensely owing to their common occurrence and easy exploitability. When such vulnerabilities are not identified and/or left unaddressed, their lethality is heightened.

A deep dive into the security misconfigurations, their detection, diagnosis, and prevention will be provided in this article.

What are Security Misconfigurations?

When the configurations and security controls for an application/ server/ network or any other layer of the application stack are not properly implemented or are implemented with dangerous gaps and errors by mistake, security misconfiguration vulnerabilities are known to occur.

In the complex and dynamic IT landscape, misconfigurations can arise in any of the multiple layers of the application stack such as the servers, network services, platform, framework, databases, and so on.


  • Directory listing is not disabled
  • Unpatched software, legacy options, unwanted services, unused pages/features, and unprotected files/ directories, are running on the application
  • Debug mode is used in the production environment
  • Outbound connections to internet service are enabled
  • Unnecessary admin ports are left open

Why Do These Vulnerabilities Occur?

Why Do These Vulnerabilities Occur

  • Human error is at the core of many misconfigurations
  • The misconception of ‘don’t fix what is not broken’ has led developers/businesses to leave configurations unchanged even though there is an underlying risk permeating from the vulnerability.
  • Default settings/ configurations have been left unchanged by webmasters/ developers. Today, attackers are known to rely on unchanged and insecure default settings/ configurations to orchestrate automated attacks on applications.
  • Configurations that were incomplete and meant to be temporary have remained unchanged. In this case, even the application which was safe in the development environment is exposed to a high risk of attacks in the production environment.
  • Use of easily exploitable gateways like unpatched software/ components/ libraries/ flaws, outdated options, unnecessary services, rarely used pages/ features, etc.

Newer, more complex, and challenging security misconfigurations are emerging with

  • The advent of the hybrid data centers
  • Extensive usage of public clouds & third-party components
  • Increasingly dynamic and complex applications, OS, frameworks, and workloads that are constantly upgraded/ changed
  • Technologically diverse environments
  • Firewalls with loosely defined and permissive policies
  • Third-party vendors whose offerings lack visibility and/or shared responsibility

How are Security Misconfigurations Detected, Diagnosed, and Determined?

1. Gaining Visibility into the Hybrid and Complex Environment

To effectively prevent misconfigurations and protect the application, organizations must understand what they have in their hybrid and complex environments. This can be done by gaining the right kind of visibility into the environment.

To do so, a real-time map of the entire ecosystem is necessary. All assets and the communication and workflows across the entire environment (including on-premises, hybrid cloud, containers, micro-services, third-party/ external/ shared components) must be inventoried and mapped accurately. This is done using asset discovery scans, security scanning, network diagrams and spreadsheets, and IP databases.

A deep insight into the expected behaviors, performance, and health of the different assets in the infrastructure is made possible by visibility. Potential misconfigurations can also be identified with the gained visibility.

For instance, it is revealed by the real-time communication and flow map that the application is returning verbose error messages containing internal data. Upon deeper diagnosis, it is identified that the debugging mode (used during the development) was not disabled when the application went live. So, the business can fix it before giving a chance to attackers.

2. Scanning and Testing Internally and Externally for Misconfigurations

Once visibility is gained into the environment, assets, expected behavior, communication, and workflows, the application and all its assets need to be scanned thoroughly to identify security misconfigurations. Known misconfigurations are easily identified by intelligent, automated scanners, such as those from AppTrana. Testing is imperative to identify unknown vulnerabilities and the exploitability of all (known and unknown) vulnerabilities.

3. Prevention of Misconfigurations

Prevention of Misconfigurations

After gaining full visibility into the environment, and detecting and determining the risk of security misconfigurations, the critical assets and infrastructure must be identified.

Unnecessary communication with the critical infrastructure must be blocked with a micro-segmentation approach. So, even if any vulnerabilities are exploited, the attackers will not gain access to sensitive information or critical assets.

Further, necessary steps must be taken to mitigate the misconfigurations and strengthen the security posture. For instance, updating software, removing legacy and unused features, changing default configurations, and so on.


With several different variations and combinations possible, the success rate of attacks that are orchestrated by exploiting security misconfiguration vulnerabilities is high. Given the criticality of web application security and data privacy & confidentiality, the proactive detection and mitigation of security misconfigurations is a matter of business continuity. Remember the process of detecting and mitigating of such misconfigurations is not a one-time action and must be repeated regularly to ensure a robust security posture.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

web application security banner

Spread the love

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

Trendy Indusface Research Articles
7 Trending Indusface Research Articles

It’s easy to lose track of things when so much information is being shared. Indusface brings you the most shared and viewed application security articles.

Spread the love

Read More


Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Know More Take Free Trial


Indusface is the only cloud WAAP (WAF) vendor with 100% Customer Recommendation for 3 consecutive years.

A Customers’ Choice for 2022 and 2023 - Gartner® Peer Insights™

The reviews and ratings are in!