Secure by default - the case of TLS
This addresses security vulnerabilities for developers, package maintainers, and system administrators, but is incremental as it highlights an existing issue rather than introducing new solutions.
The study tested the default TLS configuration in multiple web and application servers and found that it often neglects security, recommending broader adoption of 'secure by default' principles and caution for system administrators.
Default configuration of various software applications often neglects security objectives. We tested the default configuration of TLS in dozen web and application servers. The results show that "secure by default" principle should be adopted more broadly by developers and package maintainers. In addition, system administrators cannot rely blindly on default security options.