[OWASP-METRICS] Attack surface

Mark Curphey mark.curphey at foundstone.com
Thu Sep 23 13:35:34 EDT 2004

There was work on this done by E&Y validating Microsofts RASQ model. 


As regards for the HTTP requests I keep coming back to the CSI report
each year that consistently reports over 60% of attacks are internal and
relating this back to my days at Schwab. The "serious" risk was not
through the front door but through the back door (no pun intended) or
side door (b2b). The side door was becoming HTTP thru web services but
the back door ranged from RMI, RPC, T-SQL and <insert choice here>....

-----Original Message-----
From: Jeff Williams [mailto:jeff.williams at aspectsecurity.com] 
Sent: Thursday, September 16, 2004 4:29 PM
To: owasp-metrics at lists.sourceforge.net
Subject: [OWASP-METRICS] Attack surface

Hi everyone. I keep reading articles that use the concept of "attack
surface" to describe how attackable an application actually is.  But
I've never seen the concept explored very deeply. For a web application,
it seems to me that the attack surface is strictly limited to the range
of allowed HTTP requests. Anyone interested in helping model this?
Seems to me that it shouldn't be too hard, would be really useful, and
is likely to be automatable.


Jeff Williams, CEO
Aspect Security, Inc.
work: 410-707-1487
main: 301-604-4882

This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
OWASP-METRICS mailing list
OWASP-METRICS at lists.sourceforge.net

More information about the Owasp-metrics mailing list