Misconfiguration of a software application is a major threat to security. Software applications that are more complex have a greater chance of being misconfigured. The application must be configured to be secure prior to deployment. This includes checking all settings before going into production, as many default values are not secure.

Everything that is unnecessary in a production environment should be disabled, removed, or simply not installed. Examples include accounts, privileges, ports, services, and accounts. Any default account passwords should be changed or the accounts should be disabled.

Some software applications use a number of tools and frameworks and they may not all be fully understood. It is critical ...