Attack surface is a concept whose time has come. While it has been known for a while within application security circles, the idea is just now becoming more widely understood within the development community. It is extremely useful as a means of understanding, and driving down, the security risk inherent in your application.
Your system’s attack surface represents the number of entry points exposed to a potential attacker. The fewer entry points, the less chance of an attacker finding vulnerabilities in your code. No matter how hard you work to improve the security of your software, it is a fact that vulnerabilities, known and unknown, will still exist in your system. Reducing your application’s attack surface allows you to fend off future attacks - the one’s you don’t know about yet as well as the one’s you haven’t had a chance to fix yet.
The reason that I like attack surface measurement is two-fold. First, it is a great metric for understanding an application’s inherent risk. Other metrics such as vulnerability count aren’t ideal because it doesn’t always take into account bugs that are not found, ease of exploitation and potential impact of exploitation. Secondly, all security stakeholders can leverage it for informed decision making:
- Development teams can better prioritize testing efforts. If a software’s attack surface measurement is high, they may want to invest more in testing
- Developers can use it as a guide while implementing patches of security vulnerabilities. A good patch should not only remove a vulnerability from a system, but should not increase the system's attack surface
- Consumers can use it to guide their choice of configuration. Since a system's attack surface measurement is dependent on the system's configuration, software consumers would choose a configuration that results in a smaller attack surface exposure.
- Risk Management/Corporate Security can understand their potential business exposure
Attack surface is useful for measuring security in relative terms (i.e. v1.2 to v1.n of a product), for measuring security impact of adding a new component to a system, or for very rough measurement across applications that are of equivalent purpose.
If you are interested in learning more about attach surface analysis and reduction, we have a recorded webcast on the subject that is available here.