Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Top tips is a weekly column where we highlight what’s trending in the tech world today and list ways to explore these trends. This week, we’re looking at four ways you can minimize your attack surface. Organizational IT infrastructure is now more spread out, multi-layered, and complex than ever.

Penetration testing, dynamic application security testing (DAST), and attack surface management (ASM) are all strategies designed to manage an organization’s digital attack surface. However, while each aids in identifying and closing vulnerabilities, they have significant differences and play complementary roles within a corporate cybersecurity strategy. Let’s take a quick look at the definition of each of these strategies.

In today’s interconnected world, cyber threats continue to evolve at a rapid pace. As businesses grow more reliant on digital systems and services, the cyber security attack surface—the totality of an organisation’s digital exposure—has expanded, increasing the risks faced by security teams. The complex nature of these threats calls for a more adaptive and responsive approach to security, particularly in identifying and mitigating vulnerabilities before they can be exploited.

Gaps in your security testing program are likely more than simply missed assets. Infrequent testing and even low test accuracy are also gaps, and can be just as bad or worse. Gaps happen despite the best efforts of everyone involved. The good news is that, with some strategic adjustments, you can reduce gaps using tools you likely already have deployed.

In June 2024, the digital world was rocked by a significant supply chain attack involving Polyfill.io, a JavaScript library that had been a staple in web development for over a decade. Originally designed to ensure compatibility between older browsers and modern web APIs, Polyfill.io became a silent vulnerability when a Chinese company named “Fun Null” acquired the domain in February 2024.

There is a pressing need to protect an organisation’s digital assets against cyber attacks and it has never been more critical. The increasing complexity and dynamic nature of IT environments mean that traditional security measures often fall short. This has led to the emergence of new defensive approaches, such as attack surface management (ASM) that proactively safeguard against cyber threats.

CVE-2024-40766 is a critical (CVSS v3 score: 9.3) access control flaw. Its primary danger comes from the potential for providing unauthorized network access, both allowing attackers unfettered access to critical resources and, in some cases, giving attackers the ability to crash the firewall.

Increasing digitalization and connectivity mean the attack surfaces of most organizations are growing. This means more IT assets to track and manage, plus more potential attack routes for threat actors to target. The threat situation is constantly increasing, especially in the area of vulnerabilities – last year over 30,000 new vulnerabilities were published. So how can you get an accurate view of your attack surface and where it might be open to exploitation?

Managing an organization’s attack surface is a complex problem involving asset discovery, vulnerability analysis, and continuous monitoring. There are multiple well-defined solutions to secure the attack surface, such as extended detection and response (EDR or XDR), security information & event management (SIEM), and security orchestration, automation & response (SOAR); despite that, these tools often do not prioritize APIs.

While it was not called ASM, the concept of managing attack surface management began with basic asset management practices in the late 1990s and early 2000s. Organizations focused on keeping an inventory of their digital assets, such as servers, desktops, and network devices. The primary objective was to maintain an accurate record of these assets to ensure proper configuration and patch management.