Attack surface

From Wikipedia, the free encyclopedia

The attack surface of a software environment is the code within a computer system that can be run by unauthenticated users. This includes, but is not limited to: user input fields, protocols, interfaces, and services.

One approach to improving information security is to reduce the attack surface of a system or software. By turning off unnecessary functionality, there are fewer security risks. All code has a nonzero probability of containing vulnerabilities. By having less code available to unauthenticated users, there will tend to be fewer failures. Although attack surface reduction helps prevent security failures, it does not mitigate the amount of damage a hacker could inflict once a vulnerability is found.

Contents 1 Measurement 2 Reduction 3 See also 4 References 5 External links

[edit] Measurement

Jon Pincus of Microsoft and Jeanette Wing of Carnegie Mellon University recommend measuring the attack surface of a product during development. By measuring and managing the size of the attack surface, a software product can be made more secure.

[edit] Reduction

The basic strategies of attack surface reduction are to reduce the amount of code running, reduce entry points available to untrusted users, reduce privilege levels as much as possible, and eliminate services requested by relatively few users.

[edit] See also

• Vulnerability (computing)
• Computer security

[edit] References

• "Security Tips: Minimizing the Code You Expose to Untrusted Users". msdn.microsoft.com. http://msdn.microsoft.com/en-us/magazine/cc163882.aspx. Retrieved 2009-09-03. 
• "Attack Surface Measurement and Attack Surface Reduction". www.cs.cmu.edu. http://www.cs.cmu.edu/~pratyus/as.html#introduction. Retrieved 2009-09-03. 

[edit] External links

• Attack Surface Measurement at Carnegie Mellon CyLab

This computer software article is a stub. You can help Wikipedia by expanding it. v • d • e