This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Cloud-10 Infrastructure Security
From OWASP
R9:Infrastructure Security
Security Risks
- Default configurations of systems and network devices
- All services, even active, unused ones, may contain security related bugs that potentially can be exploited.
- Compromised services may be used as "hop-off" points to other services, unless they are contained. For example, a compromised web service may lead to a compromised backend database, if the database can be reached directly from the web tier.
- Active network protocols, and open ports, may be exploited even if they are not used in the solution architecture
- Administrative access may be abused, either deliberately by the administrators, or through compromised administrative accounts. Furthermore administrative access can cause disruption through accidents
- All code (application, OS, network) will contain security related bugs, and configurations may contain configuration mistakes, that can be exploited.
Countermeasures
- Hardening of operating systems, applications and configurations
- Tiering of the solution architecture
- Containment
- Role-based administrative access, restricted administrative privileges
- Regular vulnerability assessments