[OWASP-METRICS] Attack surface

Jeff Williams jeff.williams at aspectsecurity.com
Thu Sep 16 16:29:08 EDT 2004


Hi everyone. I keep reading articles that use the concept of "attack
surface" to describe how attackable an application actually is.  But I've
never seen the concept explored very deeply. For a web application, it seems
to me that the attack surface is strictly limited to the range of allowed
HTTP requests. Anyone interested in helping model this?  Seems to me that it
shouldn't be too hard, would be really useful, and is likely to be
automatable.

--Jeff

Jeff Williams, CEO
Aspect Security, Inc.
http://www.aspectsecurity.com
work: 410-707-1487
main: 301-604-4882





More information about the Owasp-metrics mailing list