Talk:Attack surface

Computer Security: Computing Mid‑importance

This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.Computer SecurityWikipedia:WikiProject Computer SecurityTemplate:WikiProject Computer SecurityComputer Security articles

Mid

This article has been rated as Mid-importance on the project's importance scale.

This article is supported by WikiProject Computing (assessed as Low-importance).

Things you can help WikiProject Computer Security with:

Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information...

Answer question about Same-origin_policy
Review importance and quality of existing articles
Identify categories related to Computer Security
Tag related articles
Identify articles for creation (see also: Article requests)
Identify articles for improvement
Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc.
Find editors who have shown interest in this subject and ask them to take a look here.

Computing Low‑importance

	This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.ComputingWikipedia:WikiProject ComputingTemplate:WikiProject ComputingComputing articles
Low	This article has been rated as Low-importance on the project's importance scale.

Defining Attack Surface[edit]

@LuisVilla: FYI I think this recent NDSS paper[1] has a more concise definition of the attack surface than what I am currently read here, albeit it *seems* to be for the Linux kernel only... Fedcaster (talk)

@Fedcaster: The definition isn't Linux-only; it is generic. Definitely the best one I've seen in terms of rigor. But it is also incredibly... well, it isn't exactly plain english by any stretch :) Probably a good citation/reference, but not a definition I'd want to try to pull into the article? You're welcome to try, though! -LuisVilla (talk) 18:58, 8 November 2013 (UTC)[reply]

Older Notes/Comments[edit]

It doesn't seem correct to say "how much (damage) can a piece of software do in its default configuration by unauthorized users" - it has nothing to do with "default configuration". One can change the configuration from the default, and now there is new 'attack surface'.

Also, note that the word "damage" (or something like it) is left out of that sentence.

--Rob Cranfill (talk) 15:56, 6 March 2008 (UTC)[reply]

This article starts with a very odd definition of Attack Surface. It seems to say the attack surface is the extent of the vulnerabilities in the system, rather than the total of potential places an attack could start. The OWASP definition seems far clearer and more useful, because the whole point is you don't know where the actual vulnerabilities are otherwise you would've fixed them and have "no attack surface" SimonWiseman (talk) 17:46, 30 January 2013 (UTC)[reply]

@SimonWiseman:, @Rob Cranfill: FYI, I'm starting to work on this page (Attack Surface); addressed both of your comments but would love more help if you have some cycles. -LuisVilla (talk) 20:35, 30 October 2013 (UTC)[reply]