What is a security misconfiguration?

Security misconfiguration (OWASP #5) occurs when security settings are defined, implemented, or maintained incorrectly. Common examples: Default credentials (admin/admin left unchanged), unnecessary features enabled (debug mode, directory listing, unused ports/services), overly permissive CORS, verbose error messages exposing stack traces, unpatched software, missing security headers, cloud storage buckets publicly accessible (S3 bucket misconfigurations have caused major data breaches), open MongoDB/Elasticsearch without authentication. Prevention: (1) Minimal install — disable/remove all unused features. (2) Consistent hardening procedures (CIS benchmarks). (3) Automated configuration scanning. (4) Change all default passwords. (5) Security-as-code — infrastructure configuration in version control with reviews. (6) Regular audits.