The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.
The attack surface of a computer system consists of the components within that computer system that are exposed to access by a potential attacker. Such components may include, for instance, applications executed by a web server and other server-based applications. It is typically desirable for user-operated clients to interact with these components over one or more computer networks. Thus the components feature various interfaces for interacting with clients over those one or more networks. For example, the components may expose web-based graphical user interfaces (“GUIs”) comprising user input fields, interfaces for receiving user input via predefined protocols such as Hyper-Text Transfer Protocol (“HTTP”) or Simple Object Access Protocol (“SOAP”), customized application programming interfaces (“APIs”), and/or other services by which the components receive and react to communications from user-operated client devices.
While user access to the components is typically desirable, providing the user access sometimes leaves the components vulnerable to unauthorized uses, in which an unauthorized user succeeds in causing the components to execute in manners that are unintended or undesired by the owner of the computer system. Examples of unauthorized uses, which are also known as “attacks,” include without limitation: passive attacks, such as wiretapping, and active attacks such as server or account hijacking, buffer overflow, heap overflow, and format string attacks.
The information security industry is continually discovering and defining “security vulnerabilities” that are known to be at high risk for such attacks. Security vulnerabilities may include, for example, specific versions of software known to inadvertently expose access to undesired functionality, bad practices in software development or deployment, and so forth. Vulnerabilities to attacks increase when the components are accessible to clients over an insecure network. An insecure network is a network over which limited or no control is exercised over the users that can access the network. One example of an insecure network is the Internet.
One approach to improving information security is to reduce the attack surface of a computer system. By turning off unnecessary functionality and/or components, there are fewer security risks. By having less code available to unauthorized actors, there will tend to be fewer failures. Conventional strategies of information security thus focus on attack surface reduction by reducing the amount of code running, reducing entry points available to untrusted users, and eliminating services requested by relatively few users. To achieve this end, organizations typically feature a centralized information technology department that approves and authorizes any new component exposed to access from insecure external networks, and in some cases even approves and authorizes components that are exposed to access from internal networks, such as the organization's Intranet. These strong controls over the deployment of security assets can often stymy the progress of development in fast-paced organizations.