Attack surface
Encyclopedia
The attack surface of a software environment is the code within a computer system that can be run by unauthenticated
users. This includes, but is not limited to: user input fields, protocols, interface
s, and services.
OSSTMM 3 Defines Attack Surface as "The lack of specific separations and functional controls that exist for that vector".
One approach to improving information security
is to reduce the attack surface of a system or software. By turning off unnecessary functionality, there are fewer security risks. All code has a nonzero probability of containing vulnerabilities. By having less code available to unauthenticated users, there will tend to be fewer failures. Although attack surface reduction helps prevent security failures, it does not mitigate the amount of damage an attacker could inflict once a vulnerability is found.
and Jeanette Wing of Carnegie Mellon University
recommend measuring the attack surface of a product during development. By measuring and managing the size of the attack surface, a software product can be made more secure.
levels as much as possible, and eliminate services requested by relatively few users.
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
users. This includes, but is not limited to: user input fields, protocols, interface
Interface (computer science)
In the field of computer science, an interface is a tool and concept that refers to a point of interaction between components, and is applicable at the level of both hardware and software...
s, and services.
OSSTMM 3 Defines Attack Surface as "The lack of specific separations and functional controls that exist for that vector".
One approach to improving information security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
is to reduce the attack surface of a system or software. By turning off unnecessary functionality, there are fewer security risks. All code has a nonzero probability of containing vulnerabilities. By having less code available to unauthenticated users, there will tend to be fewer failures. Although attack surface reduction helps prevent security failures, it does not mitigate the amount of damage an attacker could inflict once a vulnerability is found.
Measurement
Jon Pincus of MicrosoftMicrosoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
and Jeanette Wing of Carnegie Mellon University
Carnegie Mellon University
Carnegie Mellon University is a private research university in Pittsburgh, Pennsylvania, United States....
recommend measuring the attack surface of a product during development. By measuring and managing the size of the attack surface, a software product can be made more secure.
Reduction
The basic strategies of attack surface reduction are to reduce the amount of code running, reduce entry points available to untrusted users, reduce privilegePrivilege (Computing)
In computing, privilege is defined as the delegation of authority over a computer system. A privilege is a permission to perform an action. Examples of various privileges include the ability to create a file in a directory, or to read or delete a file, access a device, or have read or write...
levels as much as possible, and eliminate services requested by relatively few users.
External links
- Attack Surface Measurement at Carnegie Mellon CyLab