https://www.secdev.uk/blog/tags/cwe-16/ Recent content in CWE-16 on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 29 Mar 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-03-29-security-misconfiguration/ Sat, 29 Mar 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-03-29-security-misconfiguration/ <p>Security misconfiguration is the vulnerability class that really drove home for me why secure defaults matter more than secure documentation. OWASP A05 covers the gap between what a framework <em>can</em> do securely and how developers actually configure it. Debug mode left on in production. CORS wide open. XML parsers that resolve external entities. Settings endpoints with no authentication. These aren&rsquo;t coding mistakes, they&rsquo;re configuration mistakes, and they show up everywhere. In this post I&rsquo;ll walk through Python, Java, Go, and JavaScript examples covering CWE-16 (Improper Configuration) and CWE-611 (XML External Entity Processing), from the flags that any reviewer would catch to the subtle combinations that can survive months in production.</p>