Security Misconfiguration Explained (OWASP A05) — 2026
May 9, 2001 · by Pentevo
Security misconfiguration (#5 on the OWASP Top 10) is exactly what it sounds like: systems left in an insecure state — default settings, unnecessary features, sloppy permissions. It's one of the most common findings because it's so easy to overlook.
The core idea
Software is often insecure by default or becomes insecure as it's deployed, customized, and forgotten. Every component — server, framework, database, cloud bucket — has settings that need to be hardened. Miss one, and you've left a door open.
Common misconfigurations
- Default credentials — admin/admin and friends, never changed.
- Unnecessary features enabled — open ports, sample apps, unused services.
- Verbose error messages — stack traces that reveal internals to attackers.
- Missing security headers — no HSTS, CSP, etc.
- Open cloud storage — public S3 buckets/blobs exposing data (a frequent breach cause).
- Directory listing enabled — exposing files that should be hidden.
- Outdated configs — settings that were fine years ago but aren't now.
How to prevent it
- Harden by default — start from a secure baseline; document your standard config.
- Remove what you don't use — fewer features = smaller attack surface.
- Change all defaults — credentials, keys, sample content.
- Automate configuration — infrastructure-as-code makes hardening repeatable and reviewable.
- Suppress verbose errors in production — log details server-side, show users nothing useful to attackers.
- Add security headers and disable directory listing.
- Audit cloud permissions regularly — especially public storage.
Why automation matters
Manual configuration drifts over time — someone toggles a setting "temporarily" and forgets. Automated, version-controlled config (and regular scanning) keeps systems consistently hardened.
How it's found
Misconfigurations are bread-and-butter for both vulnerability scanners and penetration testers — default creds, open services, and exposed storage are quick wins for attackers, so finding them first matters.
Related: Cryptographic Failures, Broken Access Control. Learn secure configuration free at the Pentevo Academy.
Frequently asked questions
What is security misconfiguration?
Security misconfiguration is when a system is left in an insecure state — default credentials, unnecessary features left enabled, overly permissive settings, verbose error messages, or missing hardening. It's #5 (A05) on the OWASP Top 10 and one of the most common findings because it's so easy to overlook as systems are deployed, customized, and forgotten.
What are examples of security misconfiguration?
Common examples include default or unchanged admin passwords, directory listing enabled on a web server, verbose stack-trace errors exposed to users, unsecured cloud storage buckets, unused ports and services left open, missing security headers, and debug mode enabled in production. Each one hands an attacker information or access they shouldn't have.
How do you prevent security misconfiguration?
Harden every component to a documented secure baseline, remove or disable unused features and default accounts, disable verbose errors and debug mode in production, apply security headers, and automate configuration so environments are consistent and repeatable. Regularly scan and test for drift, because systems that were hardened at launch tend to loosen over time.
Why is security misconfiguration so common?
Because software is frequently insecure by default and every component — server, framework, database, cloud service — has its own settings that must be hardened. As systems are deployed, customized, and handed between teams, a single overlooked setting leaves a door open. The sheer number of configuration points makes misconfiguration statistically likely without automated checks.
Related reading
VPN Explained: What It Does (and Doesn't) — 2026
How a VPN actually works, what it protects you from, what it doesn't, and how to choose one — without the marketing hype.
FundamentalsWhat Is Penetration Testing? A Beginner's Guide (2026)
A plain-English guide to penetration testing: what it is, the five phases, the main types, and how it differs from a vulnerability scan.
FundamentalsZero-Day Vulnerabilities Explained (2026)
What a zero-day vulnerability is, why it's so dangerous, how zero-day exploits are used, and what defenders can do about the unknown.
FundamentalsWhat Is a CVE? Understanding Vulnerability IDs (2026)
What CVE means, how the numbering works, how CVSS severity and EPSS scores help you prioritize, and how to track the CVEs that matter.
Practice this hands-on
Pentevo Academy turns these concepts into guided lessons, videos and quizzes — free.
Start learning free