[OWASP-METRICS] Attack surface

Adam Shostack adam at reflectivecorp.com
Thu Sep 23 14:42:36 EDT 2004


(The Secret Service and CERT did a report on insiders.  Insiders tend  
not to use technical exploits against the systems in their attacks.    
http://www.secretservice.gov/ntac_its.shtml )

I think you raise a good point...attack surface ought to be measured at  
multiple points, not just port 80 or 443.  There's an attack surface on  
the RMI/RPC/SQL side of the web server, and the application has attack  
surfaces on each host (and network) through to the backend.

Total application attack surface is a function of each segment's  
surface.


On Sep 23, 2004, at 1:35 PM, Mark Curphey wrote:

> There was work on this done by E&Y validating Microsofts RASQ model.
>
>   
> http://uk.builder.com/whitepapers/0,39026692,60048795p 
> -39000888q,00.htm
>
> As regards for the HTTP requests I keep coming back to the CSI report
> each year that consistently reports over 60% of attacks are internal  
> and
> relating this back to my days at Schwab. The "serious" risk was not
> through the front door but through the back door (no pun intended) or
> side door (b2b). The side door was becoming HTTP thru web services but
> the back door ranged from RMI, RPC, T-SQL and <insert choice here>....
>
> -----Original Message-----
> From: Jeff Williams [mailto:jeff.williams at aspectsecurity.com]
> Sent: Thursday, September 16, 2004 4:29 PM
> To: owasp-metrics at lists.sourceforge.net
> Subject: [OWASP-METRICS] Attack surface
>
> Hi everyone. I keep reading articles that use the concept of "attack
> surface" to describe how attackable an application actually is.  But
> I've never seen the concept explored very deeply. For a web  
> application,
> it seems to me that the attack surface is strictly limited to the range
> of allowed HTTP requests. Anyone interested in helping model this?
> Seems to me that it shouldn't be too hard, would be really useful, and
> is likely to be automatable.
>
> --Jeff
>
> Jeff Williams, CEO
> Aspect Security, Inc.
> http://www.aspectsecurity.com
> work: 410-707-1487
> main: 301-604-4882
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
> _______________________________________________
> OWASP-METRICS mailing list
> OWASP-METRICS at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-metrics
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
> _______________________________________________
> OWASP-METRICS mailing list
> OWASP-METRICS at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-metrics
>





More information about the Owasp-metrics mailing list