[Owasp-leaders] Attack Surface Analysis

Jim Manico jim.manico at owasp.org
Sat Sep 1 22:19:17 UTC 2012


Just to be clear, this cheat sheet is Jim Birds work. I am just the
person who kept bugging him to do it once he suggested it. ;-)

Aloha,
--
Jim Manico
(808) 652-3805

On Sep 1, 2012, at 9:00 AM, Gunnar Peterson <gunnar at arctecgroup.net> wrote:

>> It would be nice to include some attack surface analysis on mobile?
>
> Short answer: yes, but it probably belongs in its own sheet (and HTML5 too)
>
> Longer answer:
> http://1raindrop.typepad.com/1_raindrop/2012/09/mobile-attack-surface.html
>
> -gunnar
>
>> This can be pretty low level stuff such as inter-component comms, component privilege, ssl sec etc.
>> Would that fit at all?
>> Eoin
>>
>>
>>
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>
>> On 1 Sep 2012, at 06:15, vanderaj vanderaj <vanderaj at owasp.org> wrote:
>>
>>> I like to see "Stories", with a fairly straightforward path from start to middle to finish. In a cheat sheet, this means a short story amount of exposition and character development.
>>>
>>> Why - what use case does this cheat sheet apply to. It's currently called Introduction, but I think it should answer the question - "why should I care about defining and measuring the attack surface".
>>>
>>> The How is answered fully, and that requires little attention, but as it's a process, a simple process diagram would be nice.
>>>
>>> The What is currently an abstract list, so an example illustrating the point using a use case that'd we all be familiar with; something like a Fandango or Expedia type of site - i.e. defining the critical data assets (cc data, booking details, etc) and critical flows - finding something, making a booking, checking out, customer service).
>>>
>>> The Who is not really answered. Who would undertake this task? In my personal view, this is a security architect and pen tester, but developers should be able to self-assess.
>>>
>>> Other than that, I think it's a fine final draft that I would be proud of if I had written it. Good work, fellas!
>>>
>>> thanks,
>>> Andrew
>>>
>>> On Sat, Sep 1, 2012 at 1:40 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>> Andrew,
>>>
>>> What changes do we need to get this out of draft mode? Send us more feedback (off the leaders list) and we will address it.
>>>
>>> Aloha,
>>>
>>>
>>> --
>>> Jim Manico
>>> (808) 652-3805
>>>
>>> On Aug 31, 2012, at 6:39 PM, vanderaj vanderaj <vanderaj at owasp.org> wrote:
>>>
>>>> Nice. I like it.
>>>>
>>>> How does it get out of draft? This is around beta quality in my view.
>>>>
>>>> thanks,
>>>> Andrew
>>>>
>>>> On Tue, Aug 28, 2012 at 9:26 AM, Jim Manico <jim.manico at owasp.org> wrote:
>>>> Jim Bird was kind enough to author one  of the first "attacker" cheat
>>>> sheets on attack surface analysis.
>>>>
>>>> Comments are greatly appreciated!
>>>>
>>>> https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet
>>>>
>>>> --
>>>> Jim Manico
>>>> (808) 652-3805
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list