• Log In
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Security Architecture

MIS 5214 - Section 001 - David Lanter

Security Architecture

MIS 5214.001 ■ Spring 2023 ■ David Lanter
  • Homepage
  • Instructor
  • Syllabus
  • Schedule
    • First Half of the Semester
      • Unit 01 – Threat Environment
      • Unit 02 – System Security Plan
      • Unit 03 – Planning and Policy
      • Unit 04 – Cryptography
      • Unit 05 – Secure Networks
      • Unit 06 – Firewalls
      • Unit 07 – Mid-Term Exam
    • Second Half of the Semester
      • Unit 08 – Access Control
      • Unit 9 Host Hardening
      • Unit 10 Application Security
      • Unit 11 Data Protection
      • Unit 12 – Incident and Disaster Response
  • Deliverables
    • Assignments
    • Case Studies
      • Case Study 1 – A High Performance Computing Cluster Under Attack: The Titan Incident
      • Case Study 2 – Data Breach at Equifax
    • Participation
    • Team Project
  • Harvard Coursepack
  • Zoom Meeting

OWASP Attack Surface Cheat Sheet

March 22, 2023 by David Lanter 22 Comments

Updated reading is available here: OWASP Attack Surface Cheat Sheet

 

Filed Under: 10 - Application Security Tagged With:

Reader Interactions

Comments

  1. Jill Brummer says

    March 23, 2023 at 8:34 pm

    A key point from the article is the description of the attack surface, which is the following: the sum of all paths for data/commands into and out of the application, the code that protects these paths (including resource connection and authentication, authorization, activity logging, data validation and encoding), all valuable data used in the application, including secrets and keys, intellectual property, critical business data, personal data and PII, and, the code that protects these data (including encryption and checksums, access auditing, and data integrity and operational security controls).

    Log in to Reply
  2. Chinenye Marylyn Akinola says

    March 24, 2023 at 8:36 am

    The goal of attack surface analysis is to identify the system components that need to be examined and tested for security flaws. The key is to recognize the risk areas in an application and work to reduce them. The attack surface must first be located, mapped, and examined from the viewpoint of an attacker. Examine the source code to find several entrance and exit places. The attack surface must next be measured and evaluated, with a focus on remote access points. The attack surface can be used to identify and manage risks moving forward as changes are made to the application once a baseline understanding of it has been established.

    Log in to Reply
    • Pranavi Yadalam Sekhar says

      March 25, 2023 at 7:44 pm

      Hi Marylyn,

      I agree with you! Analysis of an application’s attack surface is essential for spotting potential security flaws. Finding the attack surface—the total number of locations that an attacker may be able to exploit—helps. In order to identify potential risk areas and develop a mitigation strategy to lower these risks, the mapping and evaluation of this attack surface are crucial.

      In addition, source code analysis is a crucial part of attack surface analysis since it enables us to identify the entrance and exit points that an attacker could use to access the application. This analysis can shed light on any potential security flaws in the code, enabling us to increase the application’s security by making the appropriate changes.

      Log in to Reply
  3. Aayush Mittal says

    March 24, 2023 at 2:49 pm

    Attack Surface Analysis is about mapping out
    -> what parts of a system need to be reviewed and tested for security vulnerabilities
    -> high risk areas of code that require defense-in-depth protection
    -> to make developers and security specialists aware of what parts of the application are open to attack and to find ways of minimizing it

    Log in to Reply
    • Mengqi Xiong says

      March 27, 2023 at 9:22 pm

      Hi Aayush,

      I think the attack surface analysis is the process of identifying potential vulnerabilities in an application that could be exploited by an attacker. The security team considers the results of the analysis to report to developers and security personnel on parts of the application that are vulnerable to attack and to help them find ways to minimize them. Minimizing the attack surface would be an effective security practice that improves the security of the application.

      Log in to Reply
  4. Sunam Rijal says

    March 24, 2023 at 10:50 pm

    Attack Surface Analysis (ASA) is used to identify and manage the security risks associated with an application by identifying the system components that need to be tested for security flaws. The attack surface is the sum of all command and data entry and exit points, the code securing those points, all sensitive data used by the application, and all of these points taken together. It is suggested to classify the model into different types based on function, design, and technology to make it more manageable.

    Log in to Reply
    • Asha Kunchakarra says

      March 28, 2023 at 10:36 am

      Hi Sunam,

      I like the way that you defined the ASA. An important point you made was that it is the sum of all command and data entry and exit points, the code securing those points and the sensitive data. All of these components are extremely important to identify and the analysis would not be complete if one of them was left out.

      Log in to Reply
  5. Frank Kofi Kpotivi says

    March 25, 2023 at 11:09 am

    Security architects and pen testers are typically the ones who perform attack surface analysis. Yet, when they plan, create, and modify a system, developers should be aware of the Attack Surface.

    Using attack surface analysis, you can:

    Determine which system components and functions need to be examined and tested for security flaws.
    Identify vulnerable locations in the code that need protection.
    -depth defense – which components of the system you need to safeguard
    Determine when your attack surface has changed and you need to conduct some type of threat assessment.

    Log in to Reply
  6. Mengqi Xiong says

    March 25, 2023 at 4:42 pm

    The OWASP Attack Surface Cheat Sheet is a reference on how to help IT developers and security professionals identify and mitigate potential attack vectors in their web applications. Attack surface analysis involves identifying all components of an application and assessing their potential security risks, which is critical to identifying potential attack vectors in web applications. Regarding Measuring and Assessing the Attack Surface, security teams should focus on remote entry points to external systems and the Internet (such as those that allow anonymous public access) to try to identify and mitigate high-risk areas of the system’s attack surface. This helps reduce the likelihood of a successful attack and protects the confidentiality, integrity, and availability of sensitive data and critical systems. In addition, managing the attack surface of an application to prevent vulnerabilities is an important component of the software development lifecycle. This Sheet also states the security controls to deal with attackers who might exploit to gain unauthorized access to the system or data such as identifying incremental risks, simplifying data models, and Web Application Firewall (WAF).

    Log in to Reply
    • Nishant Shah says

      March 25, 2023 at 7:35 pm

      This was a great article to read! The fundamental aspects that the security assessors as well the developers must understand will help a long way with developing secure applications. The article discusses three points that should be a good reference:

      1. Identify what functions and what parts of the system you need to review/test for security vulnerabilities
      2. Identify high risk areas of code that require defense-in-depth protection – what parts of the system that you need to defend
      3. Identify when you have changed the attack surface and need to do some kind of threat assessment

      Log in to Reply
  7. Nishant Shah says

    March 25, 2023 at 7:26 pm

    My takeaway from the article is that the point of Attack Surface Analysis is to understand the risk areas in an application, to make developers and security specialists aware of what parts of the application are open to attack, to find ways of minimizing this, and to notice when and how the Attack Surface changes and what this means from a risk perspective.

    The Attack Surface describes all of the different points where an attacker could get into a system, and where they could get data out. Attack Surface Analysis is usually done by security architects and pen testers. But developers should understand and monitor the Attack Surface as they design and build and change a system.

    Log in to Reply
  8. Pranavi Yadalam Sekhar says

    March 25, 2023 at 7:26 pm

    Measuring and Assessing the Attack Surface:
    Code that interacts with the network, particularly the internet, is considered network-facing. This includes web forms, files transferred from external sources, and custom APIs. Additionally, backward-compatible interfaces with other systems can be challenging to maintain and test, as they often require working with outdated protocols, code, and libraries.
    Security code is also critical for network-facing systems, as it deals with cryptography, authentication, authorization, and session management. These elements are responsible for protecting sensitive data and ensuring that only authorized users have access to system resources. Designing and implementing secure code requires a high level of expertise, as mistakes can lead to significant vulnerabilities and data breaches.

    Log in to Reply
  9. David Vanaman says

    March 26, 2023 at 9:45 am

    OWASP identifies six area to focus on to assess the risk of the attack surface:

    – Network-facing, especially internet-facing, code
    – Web forms
    – Files from outside of the network
    – Backward compatible interfaces with other systems – old protocols, sometimes old code and libraries, hard to maintain and test multiple versions
    – Custom APIs – protocols etc – likely to have mistakes in design and implementation
    – Security code: anything to do with cryptography, authentication, authorization (access control) and session management

    This first three seem quite obvious, anything from outside or touching the outside is a risk.

    The next two are also something most developers and security professionals would consider, they are the areas where there is old code – which can link to out of date or vulnerable functions libraries, or interfaces – and custom interface code – which is the hardest to test and debug.

    The last, security code, is probably something that most people wouldn’t think to assess for the attack surface. Security code is designed specifically to protect against attacks! However, any tool if not used properly and reinforced with defense in depth, can be a weakness or turned against you. So it is very important to consider how security is configured and how it could be bypassed, misused, or corrupted.

    Log in to Reply
  10. Shepherd Shenjere says

    March 26, 2023 at 2:05 pm

    It is crucial to define and understand what exactly is Attack Surface for an application.

    The Attack Surface of an application is:

    -the sum of all paths for data/commands into and out of the application, and
    -the code that protects these paths (including resource connection and authentication, authorization, activity logging, data validation and encoding)
    -all valuable data used in the application, including secrets and keys, intellectual property, critical business data, personal data and PII, and
    -the code that protects these data (including encryption and checksums, access auditing, and data integrity and operational security controls).

    Log in to Reply
  11. Shadrack Owusu says

    March 26, 2023 at 5:35 pm

    I was interested in the innovation involving collaboration between Michael Howard at Microsoft and other researchers in developing the Relative Attack Surface Quotient (RASQ). RASQ is defined as the measure of the improvement of security between software versions. This is very significant because it helps in calculating the overall attack surface score for the system.

    Mathematically, RASQ is represented as
    ΣvεAV ωv |V|
    Σ =simplistic count
    v = attack vector
    ωv = weight for the attack vector
    AV= set of attack vectors

    The 20 RASQ Attack Vectors for Windows are
    Services running by default
    Open sockets
    Open named pipes
    Services
    Services running as SYSTEM
    Active Web handlers
    Dynamic Web pages
    Executable vdirs
    Jscript enabled
    Enabled accounts
    Active ISAPI Filters
    Null Sessions to pipes and shares
    Guest account enabled
    Weak ACLs in FS
    Enabled accounts in admin group
    Open RPC endpoints
    Weak ACLs in Registry
    VBScript enabled
    ActiveX enabled
    Weak ACLs on shares

    Log in to Reply
  12. Nicholas Foster says

    March 26, 2023 at 7:33 pm

    This article goes over the importance of understanding what your applications attack surface is. The article is broken up into 3 different sections. These sections highlight mapping the attack surface, identify the high-risk areas, and then managing those risks based on priority. These fundamentals for understanding attack surfaces can be applied to much more than just applications as well. Nearly everything has an attack surface, understanding how to best harden your IoT devices, applications, and networks starts with these fundamentals.

    Log in to Reply
  13. Wei Zhang says

    March 26, 2023 at 11:09 pm

    This cheat sheet helps us understand and manage application security risks from a developer’s perspective and uses it to perform risk assessments. In order to understand how to use the attack surface analysis, we can identify the parts of the system, which we need to evaluate the vulnerabilities. Attack Surface Analysis can help us:
    1. identify what functions and what parts of the system you need to review/test for security vulnerabilities
    2. identify high-risk areas of code that require defense-in-depth protection – what parts of the system that you need to defend
    3. identify when you have changed the attack surface and need to do some kind of threat assessment

    Log in to Reply
  14. Parmita Patel says

    March 26, 2023 at 11:13 pm

    This cheat sheet helps identify and analyze attack surface of a system or application. It is important to see why the attack happened then the article provides guideline to examine the issue which includes identifying assets and functions of the system. This sheet also includes the list of tools that can be used attack analysis and tips how to reduce attacks. It also includes the best practices to better place them while going through the software development lifecycle.

    Log in to Reply
  15. Abayomi Aiyedebinu says

    March 26, 2023 at 11:34 pm

    A key point from the article is that attack surface is usually don’t by security architects and Pen testers, but developers should also understand and monitor the attack surface as they design, build and change system. Attack surface analysis is important because it helps security architects and pen testers to Attack Surface Analysis helps you to identify what functions and what parts of the system needs to be reviewed or tested for security vulnerabilities, identify high risk areas of code that require defense-in-depth protection, and when threat assessment needs to be done.

    Log in to Reply
  16. Asha Kunchakarra says

    March 28, 2023 at 10:34 am

    Attack surface analysis help you to identify what functions and what parts of the system you need to review/test for security vulnerabilities. Additionally you are able to identify high risk areas of code that require defense-in-depth protection- what parts of the system that you need to defend. Lastly, they help you identify when you have changed the attack surface, and need to do some kind of threat assessment.

    Log in to Reply
  17. Samuel Omotosho says

    March 28, 2023 at 5:15 pm

    The goal of attack surface analysis is to determine which parts of a system must be reviewed and tested for security vulnerabilities. The main goal is to identify risk areas in an application and find ways to mitigate them. The first step is to identify and map the attack surface, then review it from the perspective of an attacker. Examine the source code for different points of entry/exit. The next step is to assess and measure the attack surface, with a focus on remote entry points. Once a baseline understanding of the attack surface has been established, it can be used to identify and manage risks as the application is modified.

    Log in to Reply
  18. Kelly Conger says

    April 30, 2023 at 7:26 pm

    The OWASP Attack Surface Analysis Cheat Sheet offers guidelines for identifying and analyzing an application’s attack surface, which includes all potential points of exploitation. By understanding the attack surface, developers can prioritize security measures and minimize risks. Key steps involve decomposing the application, identifying entry and exit points, analyzing data flows, and reviewing technologies used. This analysis helps in identifying vulnerabilities and strengthening security controls, ultimately reducing the likelihood of successful attacks.

    Log in to Reply

Leave a Reply Cancel reply

You must be logged in to post a comment.

Primary Sidebar

Weekly Discussions

  • 01 – Introduction (1)
  • 01 – Threat Environment (3)
  • 02 – System Security Plan (6)
  • 03 – Planning and Policy (7)
  • 04 – Cryptography (4)
  • 05 – Secure Networks (7)
  • 06 – Firewalls (5)
  • 08 – Access Control (7)
  • 09 – Host Hardening (5)
  • 10 – Application Security (6)
  • 11 – Data Protection (4)
  • 12 – Incident and Disaster Response (5)
Fox School of Business

Copyright © 2023 · Course News Pro on Genesis Framework · WordPress · Log in