Last Updated on January 18, 2024
The growing use of cloud services, virtualization and containers coupled with remote working requirements have obliterated traditional notions about the organizational attack surface. How best to identify and manage exposure and risks when your critical data is no longer defended behind a firewall?
The idea of attack surface management is gaining traction in this regard—but how that capability is defined depends on what vendor you talk to.
To share a comprehensive vision for attack surface management that goes beyond simply identifying vulnerabilities, a recent episode of The Virtual CISO Podcast features Michelangelo Sidagni, CTO at NopSec. Hosting the show is John Verry, Pivot Point Security CISO and Managing Partner.
Is a misconfiguration a vulnerability?
There is clearly a strong alignment between attack surface management and vulnerability management, as managing the attack surface must on some level involve addressing vulnerabilities.
But what about configuration management? As John points out, “a bad configuration can be a vulnerability, but some instances of configuration management are not vulnerability management.”
“Attack surface management is basically the main umbrella that can take vulnerabilities as well as configurations,” replies Michelangelo. “An exposed directory is not a vulnerability in itself, it’s a misconfiguration of shares or a web server.”
Likewise, a misconfigured Amazon S3 object store creates a vulnerability, but is ultimately a configuration issue. In fact, in today’s world of “infrastructure as code,” any cloud vulnerability could arguably be a configuration issue. Thus, configuration management must be part of managing the attack surface.
“Even if you force all the vulnerabilities to be patched at, let’s say, container startup, there might be a path which is still exploitable,” observes Michelangelo.
What’s next?
To listen to the complete show with Michelangelo Sidagni, click here.
Can attack surface management help with incident response? The answer is in this blog post: Can Attack Surface Management Help with Incident Response?