[OWASP-METRICS] Attack surface

Pete Lindstrom petelind at spiresecurity.com
Thu Sep 16 16:47:41 EDT 2004


Hi, Jeff - try this:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&q=rasq+howard+wing.
As far as I know, this is the best treatment out there on the concept. (I
disagree with some of it).

Pete  

> -----Original Message-----
> From: owasp-metrics-admin at lists.sourceforge.net 
> [mailto:owasp-metrics-admin at lists.sourceforge.net] On Behalf 
> Of Jeff Williams
> Sent: Thursday, September 16, 2004 4:29 PM
> To: owasp-metrics at lists.sourceforge.net
> Subject: [OWASP-METRICS] Attack surface
> 
> Hi everyone. I keep reading articles that use the concept of 
> "attack surface" to describe how attackable an application 
> actually is.  But I've never seen the concept explored very 
> deeply. For a web application, it seems to me that the attack 
> surface is strictly limited to the range of allowed HTTP 
> requests. Anyone interested in helping model this?  Seems to 
> me that it shouldn't be too hard, would be really useful, and 
> is likely to be automatable.
> 
> --Jeff
> 
> Jeff Williams, CEO
> Aspect Security, Inc.
> http://www.aspectsecurity.com
> work: 410-707-1487
> main: 301-604-4882
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one 
> of 170 Project Admins to receive an Apple iPod Mini FREE for 
> your judgement on who ports your project to Linux PPC the 
> best. Sponsored by IBM.
> Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php 
> _______________________________________________
> OWASP-METRICS mailing list
> OWASP-METRICS at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-metrics
> 





More information about the Owasp-metrics mailing list