OWASP and You - Application Security in .NET

Configurations

Improper security configurations in applications and servers can lead to significant vulnerabilities. Alan Underwood highlights how software often comes insecure by default, making it crucial to lock down privileges and avoid using default passwords 1. Michael Outlaw adds that verbose error pages and unencrypted passwords in web config files are common pitfalls 2. Joe Zack emphasizes the importance of keeping software up to date to prevent exploitation of known vulnerabilities 1.

If you haven't patched your server in six months, well, you know, it's on you.

--- Alan Underwood

Ensuring proper configurations requires awareness and proactive management of server settings and software updates.

   

Credential Risks

Poor credential management poses serious risks, such as the use of default passwords and lack of encryption. Michael Outlaw discusses how session IDs in URLs can lead to unauthorized access, especially when shared inadvertently on social media 3. Alan Underwood suggests using cookies for session management to avoid exposing session IDs in URLs 3. Joe Zack warns against the dangers of long session timeouts on public computers, which can leave accounts vulnerable 3.

Exposing things in the URL is never a great idea.

--- Joe Zack

Implementing best practices in credential management is essential to safeguard against unauthorized access and data breaches.