I interviewed Ola Nordstrom for this topic – way interesting!  Ola is a Senior Security Engineer at Citrix. He has been securing XenApp for the last five years. He’s been involved with a number of product features and has driven numerous security improvements. He has a Master of Science in Computer Science degree from Georgia Institute of Technology and is a Certified Information Systems Security Professional (CISSP).

Here is Ola:
  

Q: Ola, what is an “Attack Surface” as it relates to software?

A: Attack Surface is a measure of how potentially vulnerable a piece of software is.  It enumerates the entry points and associated code a malicious user could employ to exploit the software. 

Q: What are examples of entry points?

A: Examples would be open sockets, RPC entry points, and even the number of web applications hosted inside a web server. 

Q: Why would the number of web apps running be an issue?

A: The more programs that are running, the more program code is exposed to malicious users finding vulnerabilities. Also, larger programs will tend to provide more opportunities for exploitation.  For example, a web application with 1000 lines of code is generally less likely than a web application with 10000 lines of code to have vulnerability.  

Q: Are there any “best practices” that can help customers reduce attack surface of the software they use.

A: Disabling unneeded features is a good step.  In fact, software vendors like Citrix are tending to disable more features by default to improve security.  Customers can also disable services and features not used – the smaller the number of features, the less attack surface is effectively available. The principle of least privilege also applies to all deployments. 

Q: What other steps is Citrix taking as a software vendor to decrease attack surface of our products?

A: We are disabling more features by default, of course.  We are also reducing the privilege of each component to the lowest possible – this is valuable in restricting capabilities of a component, even if it IS compromised.  In the web server example any vulnerabilities found will execute as the identity of the web server – so the less privileges the web server has the better off the system is. We are also focusing our security scrutiny and testing on components with large attack surface.  If a component is running with high privilege and is processing complex data (lots of code), that component has a high attack surface will receive more security review.  

Q: Can attack surface be measured?

A: Yes, there is a Relative Attack Surface Quotient metric that allows for comparisons. 

Q: Do you have any reference for more information?
A: Sure.  Measuring Relative Attack Surfaces and The Attack Surface Problem