This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Cloud-10 Infrastructure Security"
From OWASP
Vinaykbansal (talk | contribs) (Created page with '==R9:Infrastructure Security== Category:OWASP Cloud ‐ 10 Project __NOTOC__ <headertabs/>') |
Ove Hansen (talk | contribs) (→R9:Infrastructure Security) |
||
| Line 1: | Line 1: | ||
| − | ==R9:Infrastructure Security== | + | == R9:Infrastructure Security == |
| + | Security Risks | ||
| + | <br> | ||
| + | #Default configurations of systems and network devices | ||
| + | #All services, even active, unused ones, may contain security related bugs that potentially can be exploited. | ||
| + | #Compromised services may be used as "hop-off" points to other services, unless they are contained. For example, a compromised web service may lead to a compromised backend database, if the database can be reached directly from the web tier. | ||
| + | #Active network protocols, and open ports, may be exploited even if they are not used in the solution architecture | ||
| + | #Administrative access may be abused, either deliberately by the administrators, or through compromised administrative accounts. Furthermore administrative access can cause disruption through accidents | ||
| + | #All code (application, OS, network) will contain security related bugs, and configurations may contain configuration mistakes, that can be exploited. | ||
| Line 8: | Line 16: | ||
| + | Countermeasures | ||
| − | + | ##Hardening of operating systems, applications and configurations | |
| + | #Tiering of the solution architecture | ||
| + | #Containment | ||
| + | #Role-based administrative access, restricted administrative privileges | ||
| + | #Regular vulnerability assessments | ||
| − | __NOTOC__ | + | |
| − | <headertabs/> | + | |
| + | __NOTOC__ <headertabs /> | ||
| + | |||
| + | [[Category:OWASP_Cloud_‐_10_Project]] | ||
Revision as of 14:22, 17 May 2010
R9:Infrastructure Security
Security Risks
- Default configurations of systems and network devices
- All services, even active, unused ones, may contain security related bugs that potentially can be exploited.
- Compromised services may be used as "hop-off" points to other services, unless they are contained. For example, a compromised web service may lead to a compromised backend database, if the database can be reached directly from the web tier.
- Active network protocols, and open ports, may be exploited even if they are not used in the solution architecture
- Administrative access may be abused, either deliberately by the administrators, or through compromised administrative accounts. Furthermore administrative access can cause disruption through accidents
- All code (application, OS, network) will contain security related bugs, and configurations may contain configuration mistakes, that can be exploited.
Countermeasures
- Hardening of operating systems, applications and configurations
- Tiering of the solution architecture
- Containment
- Role-based administrative access, restricted administrative privileges
- Regular vulnerability assessments
