A5 – Security Misconfiguration
Again, the OWASP has been very precise in defining the goals and motivations behind this security issue:
Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.
There are many implications related to the previous definition; some of them were already mentioned in Chapter 9, Architecture, when we discussed security in the ALM and mentioned S3: Secure by Design, Secure by Default, and Secure in Deployment.
S3 relates to this topic in a way. On the one hand, the design can come from a bad initial design, which doesn't relate to the Threat Model in a proper way, so security flaws are only discovered when it's too late and when they require patches.
The second point is also crucial. Only, the functionality needed...
