Small is Beautiful: Minimizing Attack Surfaces
“Every bug starts its life as a feature. If there was no feature, there would be no bug.”
And therein lies the key message delivered by Natalie Silvanovich, a security researcher at Google’s Project Zero at Security@. Essentially, the more code you have, the more vulnerabilities you’ll have. And since everyone should be interested in reducing the number of vulnerabilities, a great place to begin is by reducing your code.
Natalie’s focus during her session was mainly on unused features. For every bit of code existing in your software, there’s risk. Unused code is therefore adding risk with no payoff.
But it’s not as simple as just deleting the code or deprecating a feature. As Natalie explained through examples and anecdotes, the features used by a tiny number of people or relied on by a few random websites makes it difficult. Deprecating a feature used by even a few devoted users, for example, means angering them or breaking their websites.
Natalie gave a few examples of a middle ground, such as Microsoft disabling by default the EPS filter due to an unpatched vulnerability, yet leaving the feature available for those who truly need it despite the risks. It’s a start, but the better way to minimize risk is by minimizing your code base.
So what’s an organization to do? You’ll have to watch Natalie’s full session to find out. But be prepared: it means getting the security team involved with design, development, and others to better understand security risks before adding new features as well as tracking the usage of current features.
Watch Natalie’s full session to learn more about the benefits of reducing attack surfaces by reducing code and features.