Reduce the Attack Surface
Another way of thinking about security is to imagine the possible attack surface of your system. For example, in case of a web application this includes:
- open ports on the server
- API endpoints
- web server endpoints
- file storage
- 3rd parties used to load data or files
As a general rule, we look at reducing the attack surface. For our example, this would mean:
- closing all ports on the server except those absolutely needed
- reducing the API endpoints available to an external user to the minimum
- block exposure of monitoring data except for authenticated and authorized services
- authenticate and validate all 3rd party services
We can take this analysis to the next level once we start assuming a breach in our system. For example, how can we reduce the attack surface if we assume an attacker has breached the web application and can assume its identity? etc.
Taken to its logical conclusion, this principle leads us to the Zero Trust Model which we will discuss later.