External attack surface management for web applications

An attack surface is all the software, cloud and application assets (known or unknown) that process or store data that are accessible on the internet. It’s the sum of attack vectors that attackers could use to penetrate and manipulate a system to extract data. These assets are internet exposed and outside the scope of firewall and endpoint protection. It is critical for organizations to understand and proactively reduce the attack surface to prevent cyber security risks stemming from shadow IT and application vulnerabilities

An attack surface is the total sum of vulnerabilities or security exposure that can be exploited to carry out potential cyber attacks, which is growing in size with digital transformation. Whereas attack vector is the means that is used by attackers to access or infiltrate the target system. Application attack vectors can take many different forms from misconfigurations, cross site scripting, SQL injection to broken authentication. Organizations should have a continuous process to identify these potential attack vectors and implement appropriate security controls to prevent them from being exploited.

Common application attack vectors include injection, broken authentication and sensitive data exposure as highlighted by OWASP Top 10 2017, other attack vectors range from buffer overflow and cross site request forgery (CSRF) to local file inclusion. Also pay attention to old and new CWE vulnerabilities in your environment to keep your applications as secure as their speed of development

Modern applications are complex and hard to secure - with every line of code, software component and API being a potential attack vector. To reduce the attack surface, start with visibility - identify what you own and where they are exposed; assess your applications against common attack vectors to locate open pathways and security weaknesses that could give hackers a foothold; finally use risk-based insight to prioritize software vulnerability remediation and protect your data. In the age of DevOps, this process should be done continuously through automation to ensure speedy release

External attack surface management (ESAM) tools are essential to automate the discovery of vulnerable applications that pose critical risk for your organization. The main components of an EASM tool include:

1. Application discovery - map the entire inventory of web services in your organization’s digital footprint and classify them by type, platform and business criticality

2. Vulnerability analysis - assess every application you own with a blackbox approach to visualize weak spots that require attention

3. Actionable risk scoring - understand your security exposure from a hacker’s view with quantifiable risk ratings to prioritize fixes

4. Continuous monitoring for known vulnerabilities and misconfigurations to keep them secure as changes are made

Utilizing an external attack surface management tool like Scout can help cut down the time taken to discover the complete chain of applications that you are connected to and pinpoint potential security issues from the ‘outside in’ (including those you didn’t know existed) to help security teams build a clear plan for early mitigation for vulnerabilities at risk.

1. Application discovery and inventory - gather and uncover known and unknown assets and domains that you may have missed

2. Attack vector analysis - assess your applications against the common vectors to locate open pathways

3. Actionable risk scoring - visualize your security exposure to pinpoint most critical vulnerabilities and the biggest cyber risks 

4. Continuous monitoring - continuously monitor the attack surface to improve long-term risk management

5. Threat intelligence - locate real-world hacker threats to your organization on the deep and dark web