Backups are critical to protect against data loss or corruption. Settings that undermine backups include but are not limited to:
- Disabling data backup
- Failure to back up data regularly
- Failure to check the integrity of backups regularly
- Insufficient backup retention period

Backups are critical to protect against data loss or corruption. Settings that undermine backups include but are not limited to:
- Disabling data backup
- Failure to back up data regularly
- Failure to check the integrity of backups regularly
- Insufficient backup retention period

Backups are critical to protect against data loss or corruption. Settings that undermine backups include but are not limited to:
- Disabling data backup
- Failure to back up data regularly
- Failure to check the integrity of backups regularly
- Insufficient backup retention period

Programmers can use input filters to protect applications from client-side threats such as Cross-Site Scripting. However, if the application fails to ensure strict enforcement of an appropriate character set for all the web pages, an attacker can generate payloads using a character set that differs from the one that the input filters use. Similarly, a vulnerability that enables user supplied input to modify the character set of a web page can result in a similar outcome. By changing the character set, an attacker can send malicious payloads, which are ignored by the application's input filter as the characters are deemed safe.
For instance, a UTF-7 encoded cross-site scripting payload +ADw-script+AD4-alert(document.location)+ADw-/script+AD4 bypasses UTF-8 based input filters.

Denial of service conditions can occur when:
1. A server incorrectly sets a limit on the number of threads per processor utilized for application execution
2. The server sets a limit on the number of requests processed at a time

Amazon S3 buckets do not save access logs by default. The logs, however, contain value data used to identify security incidents, monitor policy violations, and assist with non-repudiation controls.

By default, a container cannot execute most system and network administration operations. The privileged mode removes such restrictions. This dramatically expands the attack surface of malicious jobs.

By default, Azure Kubernetes Service (AKS) clusters do not send log events to Azure Monitor. This can allow malicious behavior to go undetected and prevent forensic analysis in the event of a breach.

Example 1: The following example template shows an AKS cluster that does not send log events to Azure Monitor.

resource example 'Microsoft.ContainerService/managedClusters@2018-03-31' = {
    ...
    properties: {
        ...
        addonProfiles: {}
    }
}

Database backups are critical to protect against data loss or corruption. Automated backups of a Cloud SQL database instance should be explicitly configured and enabled.

Example 1: The following example shows a Terraform configuration that disables database instance backup configurations by setting enabled to false.

resource "google_sql_database_instance" "database_instance_demo" {
  ...
  settings {
    backup_configuration {
      enabled = false
      ...
    }
  }
}

Cloud services typically use techniques like caching, replication, and load balancing to facilitate service scalability, deliver content faster, and mitigate the impacts of volumetric attacks. Disabled or misconfigured availability features degrade service performance, but immediate effects are often not apparent until extreme events such as traffic spikes and hardware failures occur.

Cloud services typically use techniques like caching, replication, and load balancing to facilitate service scalability, deliver content faster, and mitigate the impacts of volumetric attacks. Disabled or misconfigured availability features degrade service performance, but immediate effects are often not apparent until extreme events such as traffic spikes and hardware failures occur.

Cloud services typically use techniques like caching, replication, and load balancing to facilitate service scalability, deliver content faster, and mitigate the impacts of volumetric attacks. Disabled or misconfigured availability features degrade service performance, but immediate effects are often not apparent until extreme events such as traffic spikes and hardware failures occur.

A lack of audit records limits the ability to detect and respond to security related incidents and prevents forensic investigation.

Example 1: The following example template shows an Azure SQL server configuration without auditing enabled.

@secure()
param sqlLogin string

@secure()
param sqlLoginPass string

param location string = resourceGroup().location

resource sqlServer 'Microsoft.Sql/servers@2021-11-01-preview' = {
    name: 'server name'
    location: location
    tags: {
        displayName: 'server name'
    }
    properties: {
        administratorLogin: sqlLogin
        administratorLoginPassword: sqlLoginPass
        version: '12.0'
        publicNetworkAccess: 'Disabled'
    }
}

Credential theft can result from:
1. A weak encoding scheme used by the HTTP Basic authentication to encode user credentials. Base64 encoded text can be easily decoded to access the original information.
2. Using HTTP Basic authentication over an insecure channel. Attackers can intercept the traffic and access user credentials.

Unmonitored systems provide attackers with a way to probe and potentially penetrate defenses without detection.

If security personnel are not alerted in a timely fashion to security-related events, they cannot respond to incidents in time to reduce the impact of an attack or breach.

Example 1: The following example template successfully defines a security contact but explicitly disables the delivery of security alert email notifications to that contact.

targetScope = 'subscription'

param emailAddress string
param phoneNumber string

resource example 'Microsoft.Security/securityContacts@2020-01-01-preview' = {
    ...
    properties: {
        ...
        emails: emailAddress
        phone: phoneNumber
        alertNotifications: {
            state: 'Off'
            minimalSeverity: 'High'
        }
    }
}

If you serve an expired certificate with a valid unexpired certificate, visitors might start to expect the invalid certificate error message presented by the user agent. An attacker can take advantage of this complacency and trick user into accepting an invalid certificate of their own, and set the victim up for a man-in-the-middle attack.

One of the basic steps in securing applications and infrastructure is to restrict the amount of knowledge an attacker can gather during the reconnaissance phase. The HTTP OPTIONS method is one way for attackers to discover the configuration of the target web server. A web site administrator can hinder the attacker attempts of mapping the application attack surface by disabling the OPTIONS method. This prevents the attacker from easily obtaining a list of the HTTP methods supported by the web server configuration.

File disclosure vulnerabilities can occur when:
1. An attacker can gain unauthorized access to source code by forcefully requesting files with extensions that are not mapped to the appropriate interpreter. This configuration error causes the server to directly serve the contents of the file instead of interpreting and serving the result of the interpretation.
2. An attacker can gain unrestricted access to sensitive system files if server misconfiguration leads to incorrect mappings between HTTP request URI patterns and system paths.

Example 1:
Using the mod_userdir module, Apache can map requests for user directories to their home directories. For example, requests for http://example.com/~username/ can be mapped to the contents in the home directory of the user "username".
However, if the administrator misconfigures the mapping of all requests to the "./", then attackers can gain access to sensitive system resources.

Apache Axis 2 provides developers with a utility to monitor incoming and outgoing SOAP messages through a Java applet. The SOAP Monitor will show all SOAP messages used to invoke a Web Service. Attackers may use the utility to eavesdrop on traffic between a Web Service and its clients.

By default, Azure Kubernetes Service (AKS) clusters created by Ansible do not send log events to Azure Monitor. This can allow malicious behavior to go undetected and prevent forensic analysis in the event of a breach.

Example 1: The following example Ansible task shows an AKS cluster that does not send log events to Azure Monitor.

- name: AKS Instance
  azure_rm_aks:
    name:
    resource_group: testResourceGroup
    location: eastus
    ...
    addon:
      monitoring:
        log_analytics_workspace_resource_id: logws001
        enabled: no