[Owasp-leaders] Attack Surface Analysis

vanderaj vanderaj vanderaj at owasp.org
Sat Sep 1 05:15:20 UTC 2012


I like to see "Stories", with a fairly straightforward path from start to
middle to finish. In a cheat sheet, this means a short story amount of
exposition and character development.

*Why* - what use case does this cheat sheet apply to. It's currently called
Introduction, but I think it should answer the question - "why should I
care about defining and measuring the attack surface".

The *How *is answered fully, and that requires little attention, but as
it's a process, a simple process diagram would be nice.

The *What *is currently an abstract list, so an example illustrating the
point using a use case that'd we all be familiar with; something like a
Fandango or Expedia type of site - i.e. defining the critical data assets
(cc data, booking details, etc) and critical flows - finding something,
making a booking, checking out, customer service).

The *Who* is not really answered. Who would undertake this task? In my
personal view, this is a security architect and pen tester, but developers
should be able to self-assess.

Other than that, I think it's a fine final draft that I would be proud of
if I had written it. Good work, fellas!

thanks,
Andrew

On Sat, Sep 1, 2012 at 1:40 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Andrew,
>
> What changes do we need to get this out of draft mode? Send us more
> feedback (off the leaders list) and we will address it.
>
> Aloha,
>
>
> --
> Jim Manico
> (808) 652-3805
>
> On Aug 31, 2012, at 6:39 PM, vanderaj vanderaj <vanderaj at owasp.org> wrote:
>
> Nice. I like it.
>
> How does it get out of draft? This is around beta quality in my view.
>
> thanks,
> Andrew
>
> On Tue, Aug 28, 2012 at 9:26 AM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Jim Bird was kind enough to author one  of the first "attacker" cheat
>> sheets on attack surface analysis.
>>
>> Comments are greatly appreciated!
>>
>> https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet
>>
>> --
>> Jim Manico
>> (808) 652-3805
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120901/2ec42ee6/attachment-0001.html>


More information about the OWASP-Leaders mailing list