[Owasp-leaders] Attack Surface Analysis

Gunnar Peterson gunnar at arctecgroup.net
Sat Sep 1 15:59:44 UTC 2012


> It would be nice to include some attack surface analysis on mobile?

Short answer: yes, but it probably belongs in its own sheet (and HTML5 too)

Longer answer:
http://1raindrop.typepad.com/1_raindrop/2012/09/mobile-attack-surface.html

-gunnar

> This can be pretty low level stuff such as inter-component comms, component privilege, ssl sec etc.
> Would that fit at all?
> Eoin
> 
> 
> 
> 
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
> 
> 
> On 1 Sep 2012, at 06:15, vanderaj vanderaj <vanderaj at owasp.org> wrote:
> 
>> I like to see "Stories", with a fairly straightforward path from start to middle to finish. In a cheat sheet, this means a short story amount of exposition and character development. 
>> 
>> Why - what use case does this cheat sheet apply to. It's currently called Introduction, but I think it should answer the question - "why should I care about defining and measuring the attack surface". 
>> 
>> The How is answered fully, and that requires little attention, but as it's a process, a simple process diagram would be nice. 
>> 
>> The What is currently an abstract list, so an example illustrating the point using a use case that'd we all be familiar with; something like a Fandango or Expedia type of site - i.e. defining the critical data assets (cc data, booking details, etc) and critical flows - finding something, making a booking, checking out, customer service). 
>> 
>> The Who is not really answered. Who would undertake this task? In my personal view, this is a security architect and pen tester, but developers should be able to self-assess.
>> 
>> Other than that, I think it's a fine final draft that I would be proud of if I had written it. Good work, fellas! 
>> 
>> thanks,
>> Andrew
>> 
>> On Sat, Sep 1, 2012 at 1:40 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> Andrew,
>> 
>> What changes do we need to get this out of draft mode? Send us more feedback (off the leaders list) and we will address it.
>> 
>> Aloha,
>> 
>> 
>> --
>> Jim Manico
>> (808) 652-3805
>> 
>> On Aug 31, 2012, at 6:39 PM, vanderaj vanderaj <vanderaj at owasp.org> wrote:
>> 
>>> Nice. I like it. 
>>> 
>>> How does it get out of draft? This is around beta quality in my view. 
>>> 
>>> thanks,
>>> Andrew
>>> 
>>> On Tue, Aug 28, 2012 at 9:26 AM, Jim Manico <jim.manico at owasp.org> wrote:
>>> Jim Bird was kind enough to author one  of the first "attacker" cheat
>>> sheets on attack surface analysis.
>>> 
>>> Comments are greatly appreciated!
>>> 
>>> https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet
>>> 
>>> --
>>> Jim Manico
>>> (808) 652-3805
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> 
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list