{% set baseFontFamily = "Open Sans" %} /* Add the font family you wish to use. You may need to import it above. */

{% set headerFontFamily = "Open Sans" %} /* This affects only headers on the site. Add the font family you wish to use. You may need to import it above. */

{% set textColor = "#565656" %} /* This sets the universal color of dark text on the site */

{% set pageCenter = "1400px" %} /* This sets the width of the website */

{% set headerType = "fixed" %} /* To make this a fixed header, change the value to "fixed" - otherwise, set it to "static" */

{% set lightGreyColor = "#f7f7f7" %} /* This affects all grey background sections */

{% set baseFontWeight = "normal" %} /* More than likely, you will use one of these values (higher = bolder): 300, 400, 700, 900 */

{% set headerFontWeight = "normal" %} /* For Headers; More than likely, you will use one of these values (higher = bolder): 300, 400, 700, 900 */

{% set buttonRadius = '40px' %} /* "0" for square edges, "10px" for rounded edges, "40px" for pill shape; This will change all buttons */

After you have updated your stylesheet, make sure you turn this module off

Reducing Your Application's Attack Surface

by Jason Taylor on February 23, 2011

Attack surface is a concept who’s time has come. While it has been known for a while within application security circles, the idea is just now becoming more widely understood within the development community. It is extremely useful as a means of understanding, and driving down, the security risk inherent in your application.

Attack SurfaceYour system’s attack surface represents the number of entry points exposed to a potential attacker. The fewer entry points, the less chance of an attacker finding vulnerabilities in your code. No matter how hard you work to improve the security of your software, it is a fact that vulnerabilities, known and unknown, will still exist in your system.   Reducing your application’s attack surface allows you to fend off future attacks  - the one’s you don’t know about yet as well as the one’s you haven’t had a chance to fix yet.

The reason that I like attack surface measurement is two-fold.  First, it is a great metric for understanding an application’s inherent risk.  Other metrics such as vulnerability count aren’t ideal because it doesn’t always take into account bugs that are not found, ease of exploitation and potential impact of exploitation. Secondly, all security stakeholders can leverage it for informed decision making:

  • Development teams can better prioritize testing efforts.  If a software’s attack surface measurement is high, they may want to invest more in testing
  • Developers can use it as a guide while implementing patches of security vulnerabilities.  A good patch should not only remove a vulnerability from a system, but should not increase the system's attack surface
  • Consumers can use it to guide their choice of configuration.  Since a system's attack surface measurement is dependent on the system's configuration, software consumers would choose a configuration that results in a smaller attack surface exposure.
    • Risk Management/Corporate Security can understand their potential business exposure

Attack surface is useful for measuring security in relative terms (i.e. v1.2 to v1.n of a product), for measuring security impact of adding a new component to a system, or for very rough measurement across applications that are of equivalent purpose. 

If you are interested in learning more about attach surface analysis and reduction, we have a recorded webcast on the subject that is available here.

Topics: security engineering, application risk & compliance

Most Recent

What's Trending

Featured Resource