Jul 6, 17 3:23 pm

Was this post helpful?

Secure Application Configuration Basics

Jul 6, 2017
| by:
Sherif Koussa

In June of 2016 it was revealed that a database maintained by a large data brokerage company was hacked exposing 154 million US voter records and personal details like gun ownership, positions on gay marriage, and email addresses were retrieved. Database misconfiguration was the cause, the CouchDB database which stored the information was not configured to require authentication in order to access the voter records it held. Secure configuration practices could have ensured the database could only be accessed by authenticated users preventing the breach.

Secure configuration is a reflexive application and environment hardening process whose objective is to minimize an application’s attack surface. Numerous paths can be taken to reach this end including removing or disabling unnecessary application functions, modifying configuration defaults, customizing error messages, and ensuring deployed builds removing deployment files and credentials. Although these secure configuration practices represent only a few of those available they share a basic motivation, to simplify and minimize an application’s operational footprint while taking into consideration how the application interfaces with its environment.

Before You Start

Before developing secure configuration practices an operational baseline  should be established for the applications, plugins, scripts, and other software components your organization employs. Practically, this means taking an inventory of applications and software components that coexist with your own and tracking information like version numbers and upgrade paths. The more you know about your application and its environment the better positioned you are to ensure that the configurations being used are, and continue to be secure. Established best practices like those published by OWASP should be used to evaluate to your baseline and contrast your progress ensuring your secure configuration practices continue to improve.

Secure Configuration Strategies

There exist broad secure configuration strategies that organizations can implement to improve their security posture.

Minimize Attack Surface

The process behind minimizing the attack surface available to an attacker can be summarized with the idea that “simpler is better”. In practice this means simplifying functionality and limiting user access to only what is absolutely necessary for the task at hand. More concretely, an application with a single purpose will not have supplementary features, reflective of a larger code base, which increases the probability of coding errors with security implications being exploited. Promoting applications and functions that have a single purpose when possible will contribute to the development of more secure applications and environments.

Low Hanging Fruit

In many cases, practices that can enhance the security posture of an application are simple and inexpensive to implement. For example, forgetting to disable PHP’s “display_errors” in a build destined for a production could eventually reveal clues about how the application is structured giving attackers additional information they could use to break into your application.


Ensuring consistency in the processes your organization uses to transition between development and production environments will minimize changes that must be made when deploying a new build and reduce the possibility of misconfiguration. Although some elements like passwords will need to change, simplicity will promote security while also reducing time.

Deployment Orchestration

Deployment orchestration provides organizations with the opportunity to create and manage a set of secure configuration files for all applications and their environments in a central location. These tools facilitate quickly pushing updates to software, plugins, libraries, and their wider environments as they are approved using a timeline and process carefully controlled by administrators. Additionally, orchestration ensures through the use of an interval defined by administrators, an application, its environment, and any additional components remain configured in the manner originally defined by administrators by proactively reverting changes that don’t match the default specified by administrators.

Final Thoughts

Reducing an application’s attack surface, taking advantage of low hanging fruit, and employing automation afforded by orchestration are effective strategies which will reduce the possibility of human error contributing to a security bug. Ultimately, these secure configuration practices attempt to balance usability and security and care must be taken to ensure that the personal information users trust organizations with is managed carefully, where mistakes like forgetting to assign a username and password to a database holding the records of 154 million people aren’t disclosed carelessly.

Recommended Reading

Was this post helpful?

About the Author

Sherif Koussa
Sherif Koussa is OWASP Ottawa Chapter Co-Leader, Software Developer, Hacker, and founder and CEO of Software Secured and Reshift. In addition to contributing to OWASP Ottawa for over 14 years, Sherif contributed to WebGoat, and OWASP Cheat Sheets. Sherif also helped the SANS and GIAC organizations launch their GSSP-Java and GSSP-NET exams and contributed to a few of their courses. After switching from the software development field to the security field, Sherif took on the mission of supporting developers shifting security left, and ship more secure code organically.
Share This Post

Leave a Reply

Your email address will not be published.

Related Post

Mar 24, 2023 by Omkar Hiremath

What Are the Differences Between Different Open Source Fuzzing Tools

Read more

Was this post helpful?

Mar 21, 2023 by Cate Callegari

How Penetration Testing Can Make Your Development Team More Productive

Read more

Was this post helpful?

Jan 23, 2023 by Shimon Brathwaite

The Security Liabilities of 3rd Party Libraries

Read more

Was this post helpful?


301 Moodie Dr. Unit 108
Ottawa ON K2H 9C4

Designed by WP Expert
© 2023
Software Secured