The attack surface of a system represents the exposure of application objects to attackers and is affected primarily by architecture and design decisions. Given otherwise consistent conditions, reducing the attack surface of a system or an application is expected to reduce its overall vulnerability. So far, only systems have been considered but not single applications. As web applications provide a large set of applications built upon a common set of concepts and technologies, we choose them as an example, and provide qualitative and quantitative indicators. We propose a multi-dimensional metric for the attack surface of web applications, and discuss the rationale behind. Our metric is easy to use. It comprises both a scalar numeric indicator for easy comparison and a more detailed vector representation for deeper analysis. The metric can be used to guide security testing and development. We validate the applicability and suitability of the metric with popular web applications, of which knowledge about their
vulnerability already exists.
[1]
Vilhelm Verendel,et al.
Quantified security is a weak hypothesis: a critical survey of results and assumptions
,
2009,
NSPW '09.
[2]
Jeannette M. Wing,et al.
An Attack Surface Metric
,
2011,
IEEE Transactions on Software Engineering.
[3]
Karen A. Scarfone,et al.
A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST
,
2007
.
[4]
J. Doug Tygar,et al.
Computer Security in the 21st Century
,
2010
.
[5]
Holger Peine,et al.
Rules of Thumb for Developing Secure Software: Analyzing and Consolidating Two Proposed Sets of Rules
,
2008,
2008 Third International Conference on Availability, Reliability and Security.
[6]
Jarrett Rosenberg,et al.
Some misconceptions about lines of code
,
1997,
Proceedings Fourth International Software Metrics Symposium.