When the security industry thinks about breaches caused by human error, the image of an employee accidentally clicking on a malicious link in a phishing email often comes to mind. But to err is human, even for IT and security people, especially when it comes to Web servers.
Web servers themselves have come a long way in terms of security. Think back to the nascent days of Apache and how the server earned its name. "It was, 'A-PAtCHy server' based on applying a number of patch files against an older server platform," says Geoff Walton, senior security consultant at TrustedSec.
But the industry has moved beyond that world. Today, whether you are running Apache, IIS, Nginx, or some combination thereof, "all of these and some others have benefited from years of hardening and security improvements," Walton says. "Most Web security challenges today are really found in the applications running on those servers."
If Servers Are MisconfiguredConfiguration errors made by administrators are probably the biggest risks to Web servers themselves in modern deployments, according to Walton.
Server misconfiguration issues include "inappropriate directory permissions, running the server itself as an account with excessive privileges, enabling handlers or plugins for scripts, and APIs that are not needed or should be restricted to specific applications or documents," he says. "These and the selection of weak SSL/TSL cipher algorithms are all still common problems."
According to WhiteHat Security, unnecessary default an ..
Support the originator by clicking the read the rest link below.
