Episode 183 | OWASP Top 10 Part 2: Security Misconfigurations That Get You Hacked

Security misconfiguration is one of the most frequently found vulnerabilities in web application pen testing — and most of the fixes are just a checkbox. In Part 2 of their OWASP Top 10 series, Brad Causey and Jordan Natter cover OWASP A05: Security Misconfiguration with real stories from recent engagements and practical takeaways for developers, security teams, and organizations of all sizes.

In this episode:

• Hardcoded Active Directory credentials and API keys discovered in a public GitHub repo during a healthcare pen test
• Default credentials (admin/1234) found on a clinical research app storing PHI
• A rogue Apache basic auth panel that survived from dev into production
• How verbose error handling and stack traces hand attackers a roadmap to your app
• Why dev-to-production is the most dangerous transition in your app's lifecycle
• The shift-left mindset and DevSecOps — empowering devs to ship secure code
• How CIS lockdown guides can dramatically improve your security posture overnight

Resources mentioned:

• OWASP Top 10: OWASP Top Ten Web Application Security Risks | OWASP Foundation
• CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks
• Ep. 182 – OWASP Top 10 Part 1: https://youtu.be/BwYJ-kZ3XaY

Need a web application pen test? Reach out: Offensive Security - SecurIT360

Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov

Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com

Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.