I interviewed Ola Nordstrom for this topic – way interesting! Ola is a Senior Security Engineer at Citrix. He has been securing XenApp for the last five years. He’s been involved with a number of product features and has driven numerous security improvements. He has a Master of Science in Computer Science degree from Georgia Institute of Technology and is a Certified Information Systems Security Professional (CISSP).
Here is Ola:
Q: Ola, what is an “Attack Surface” as it relates to software?
A: Attack Surface is a measure of how potentially vulnerable a piece of software is. It enumerates the entry points and associated code a malicious user could employ to exploit the software.
Q: What are examples of entry points?
A: Examples would be open sockets, RPC entry points, and even the number of web applications hosted inside a web server.
Q: Why would the number of web apps running be an issue?
A: The more programs that are running, the more program code is exposed to malicious users finding vulnerabilities. Also, larger programs will tend to provide more opportunities for exploitation. For example, a web application with 1000 lines of code is generally less likely than a web application with 10000 lines of code to have vulnerability.
Q: Are there any “best practices” that can help customers reduce attack surface of the software they use.
A: Disabling unneeded features is a good step. In fact, software vendors like Citrix are tending to disable more features by default to improve security. Customers can also disable services and features not used – the smaller the number of features, the less attack surface is effectively available. The principle of least privilege also applies to all deployments.
Q: What other steps is Citrix taking as a software vendor to decrease attack surface of our products?
A: We are disabling more features by default, of course. We are also reducing the privilege of each component to the lowest possible – this is valuable in restricting capabilities of a component, even if it IS compromised. In the web server example any vulnerabilities found will execute as the identity of the web server – so the less privileges the web server has the better off the system is. We are also focusing our security scrutiny and testing on components with large attack surface. If a component is running with high privilege and is processing complex data (lots of code), that component has a high attack surface will receive more security review.
Q: Can attack surface be measured?
A: Yes, there is a Relative Attack Surface Quotient metric that allows for comparisons.