Proceedings of the 4th International Workshop on Security Measurements and Metrics 2012
DOI: 10.1145/2372225.2372229
|View full text |Cite
|
Sign up to set email alerts
|

Comparing and applying attack surface metrics

Abstract: A software system's attack surface metric measures the freedom of a potential attacker to influence the system's execution, potentially exploiting a security vulnerability. Existing attack surface metrics aim to measure the security impact associated with deploying an application or component; however, a systematic evaluation of various metrics' suitability for this purpose has not yet been performed. We outline a framework for formalizing code-level attack surface metrics and deployment-time activities that r… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
2

Citation Types

0
6
0

Year Published

2013
2013
2023
2023

Publication Types

Select...
3
2
1

Relationship

0
6

Authors

Journals

citations
Cited by 8 publications
(6 citation statements)
references
References 10 publications
0
6
0
Order By: Relevance
“…7 Stuckman and Purtilo highlighted that an attack surface metric quantifies the scale of vulnerabilities of a system. 6 They suggested that, in analyzing a system's security posture, a good metric will demonstrate that software with fewer vulnerabilities is more secure than software with more exposures. They measured the attack surface by enumerating reachable elements of the software but did not account for the cascading effects between these elements when any of them is compromised.…”
Section: Related Workmentioning
confidence: 99%
See 1 more Smart Citation
“…7 Stuckman and Purtilo highlighted that an attack surface metric quantifies the scale of vulnerabilities of a system. 6 They suggested that, in analyzing a system's security posture, a good metric will demonstrate that software with fewer vulnerabilities is more secure than software with more exposures. They measured the attack surface by enumerating reachable elements of the software but did not account for the cascading effects between these elements when any of them is compromised.…”
Section: Related Workmentioning
confidence: 99%
“…The susceptibility of a system to attacks is determined by the area of its attack surface. A “good” attack surface metric should be able to identify and credibly enumerate all attack paths 6 by conducting an in‐depth analysis of each path's entry and exit points or target points, implicit and explicit interdependencies, and vulnerabilities 7 …”
Section: Related Workmentioning
confidence: 99%
“…Considering the publications which combine multiple metrics resulting in a common measurement, Howard was one of the first to introduce an attack surface metric [9], which has been an starting point of multiple publications [2,10,13,19,23,[28][29] for measuring the software security in different domains. Defined as the attack opportunity or attackability of a system, or its exposure to attack [9,10], attack surface is a relative metric that strikes at the design level of a system.…”
Section: Related Workmentioning
confidence: 99%
“…Moreover, function level metrics analyse vulnerabilities taking into account the system conditions, which is represented by the attackability concept. Since the attack surface metric was firstly introduced by Michael Howard [18], it has been applied in different domains by multiple works [19][20][21][22][23][24][25]. Defined as the attack opportunity or attackability of a system, or its exposure to attack [18,20], attack surface is a relative metric that strikes at the design level of a system.…”
Section: Security Metricsmentioning
confidence: 99%
“…The main problem of this approach is that the characterization of a operating system and its applications in a determinate moment helps to reduce its attack surface but it prevents to expand with more features later on. Stuckman and Purtilo [24] continue with the composability idea by proposing a method to evaluate the attack surface impact of a configuration or environmental change, which helps system administrators to tune their applications to optimize security. The reduction of the attack surface on permission-based software has been also analysed by Bartel et al [19].…”
Section: Security Metricsmentioning
confidence: 99%