Security Misconfiguration mentions

[jhaddix]

There are a number of very prevalent issues which could loosely be defined under "Security Misconfiguration", is it possible to mention these at least in the description in the PDF?

• Git misconfiguration allowing source code disclosure
• Subdomain Takeover
• CI/CD misconfiguration leading to code disclosure
• AWS misconfiguration leading to bucket takeover

See this poll:

https://twitter.com/Jhaddix/status/924304015856242688

[sslHello]

Hi Jason, thank you very much for your suggestions. The page is already very crowded, but I'll see if I can get some more generalized issues from your list into the security weakness section. Cheers Torsten

[Neil-Smithline]

I think we've seen mention of AWS misconfiguration of S3 in another issue. Out of the list @jhaddix has, that's the one I think is most important.

[sslHello]

We could add some more general examples to the 'security weakness' section (in italic text). I am sorry there seems not to be enough space fo all topics: (1) "Security misconfiguration can happen at any level of an application stack, including the , network services, platform, web server, application server, database, frameworks, custom code, and pre-installed virtual machines, containers or storage. Automated scanners are useful for detecting misconfigurations, use of default accounts or configurations, unnecessary services, legacy options etc. OR we can add something like : (2) "All stages of software environments may be affected from development to production."

I'd like to open the discussion, what helps the most. Cheers Torsten

[sslHello]

We will do version (1)

[sslHello]

Fits also to the comment about T10 in #279 Fixed by the commit above (c8f1b28).