Definition

What is Security Misconfiguration?

The most prevalent web application vulnerability class, arising from incorrectly configured cloud services, application frameworks, databases, web servers, or network infrastructure. Common examples include default credentials left unchanged, overly permissive S3 bucket policies, unnecessary features enabled, verbose error messages exposing stack traces, and missing HTTP security headers. Security misconfiguration topped the OWASP Top 10 in 2021 and is frequently the easiest vulnerability to discover and exploit in a penetration test.

Related terms

OWASP Top 10 →

A regularly updated consensus list of the ten most critical security risks to web applications, published by the Open Web Application Security Project (OWASP).

Attack Surface →

The sum of all potential entry points where an unauthorized user could attempt to enter, extract data from, or disrupt a system — including exposed network ports, APIs, web interfaces, authentication endpoints, third-party integrations, and human-facing channels such as email.

Vulnerability Assessment →

A systematic process of identifying, classifying, and prioritizing security weaknesses in a system without attempting to exploit them.

Defense in Depth →

A security strategy that layers multiple independent controls so that the failure of any single control does not result in a complete breach.

Put this into practice

Autonomous OWASP vulnerability scanning →

See how Penetrify's autonomous AI agents find and validate this class of security issue in your application.