tag:blogger.com,1999:blog-5028009537158799436.post5861965347685985313..comments2023-07-10T04:50:03.236-07:00Comments on Building Real Software: Essential Attack Surface ManagementJim Birdhttp://www.blogger.com/profile/17371102366836131341noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-5028009537158799436.post-88450139765112136292012-08-30T04:28:20.255-07:002012-08-30T04:28:20.255-07:00The most basic form of energy management consists ...The most basic form of energy management consists of a simple time clock and thermostat. And in fact these systems are still the best choice of control in certain buildings today.Building energy management systemhttp://www.entouchcontrols.com/noreply@blogger.comtag:blogger.com,1999:blog-5028009537158799436.post-79123074856195508482012-01-16T05:34:58.028-08:002012-01-16T05:34:58.028-08:00Thanks Rohit. For us, attack surface analysis isn&...Thanks Rohit. For us, attack surface analysis isn't a separate gate, it's an ongoing part of how we design and build software, something that we do all the time, iteratively and incrementally. You're right: if you do it this way, it doesn't have to be expensive.Jim Birdhttps://www.blogger.com/profile/17371102366836131341noreply@blogger.comtag:blogger.com,1999:blog-5028009537158799436.post-27719184106548358832012-01-15T11:27:59.130-08:002012-01-15T11:27:59.130-08:00Hey Jim,
Great post. I think you have the right i...Hey Jim,<br /><br />Great post. I think you have the right idea about reducing the scope of defining attack surface to entry & exit points. My gut reaction is that very few development shops will be willing to add another attack surface gating process if they’ve already adopted a couple of security activities such as static analysis, penetration testing, and/or threat modeling. I really like the way you positioned it as a trigger for further security review, such as threat modeling. I’ve seen a couple of places that say things along the lines of “if we’re accepting new input then this release will undergo a risk assessment”. <br /><br />I think that if you position it as “evaluation criteria for security review” rather than “attack surface analysis” and you ask a small number of very simple-to-answer questions (e.g. “Have you modified the way you handle non-public financial data?”) then you’ll be able to get development groups on-board. If developers understand this as a 5-10 minute activity that might save them hours of unnecessary security reviews then they’ll be much more apt to take it on.rksethihttps://www.blogger.com/profile/02314806434696708289noreply@blogger.com