OWASP logo

Minimum Necessary Implementation:
Reducing Attack Surface to Increase Security

Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX).

Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.

We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs.

Session Notes:   Color Black&White
Picture of Robert Gezelter, CDP
Follow us on Twitter
Bringing Details into Focus, Focused Innovation, Focused Solutions
+1 (718) 463 1079