Reducing Attack Surface

Oct 20th, 2004

Comments: 0
Category: Vulnerability Management

Reducing Attack Surface

There’s a link to a very interesting over at Michael Howard’s blog commenting that the Security issue of MSDN is out today.
The article linked from the posting is very interesting as well in that it talks about reducing attack surface.
On the whole, I’m really happy that this is getting focus from a company like Microsoft, because if anyone can make developers sit up and listen it’s Microsoft (commercial one’s ’cause they’re all involved with Microsoft somehow, and Open Source one’s ’cause if nothing else they’ll be out to try and prove that they do it better than Microsoft ;op)
However that said I think that there’s something missing from Microsofts definitions of how to reduce attack surface. In the article they mention 3 ways of helping to reduce attack surface
* Reduce the amount of code executing by default
* Reduce the volume of code that is accessible to untrusted users by default
* Limit the damage if the code is exploited
However I think they’re should be a fourth, although it primarily relates to operating systems, it could also apply to other software.
* Reduce the amount of code installed.
This is important especially on operating systems the more code that is installed the higher the likelihood that some of it will have security vulnerabilities (especially if you follow the oft-quoted truism that there will be 1 security related problem in every 1000 lines of code).
I think this is important at the moment as you see both Microsoft and the Linux distribtution vendors shipping more and more code with their operating systems and the default install sizes going up and up. Well if nothing else that just causes a nasty patch management problem as, the more code you have deployed the more you have to patch..
I could follow on to a rant about the relative ease of removing unneeded software from servers (cough cough web browser cough cough), but I think I’ll leave that for another day…

Add a comment

Your email address will not be shared or published. Required fields are marked *