Talk:Attack surface

Defining Attack Surface
FYI I think this recent NDSS paper has a more concise definition of the attack surface than what I am currently read here, albeit it *seems* to be for the Linux kernel only... Fedcaster (talk)

The definition isn't Linux-only; it is generic. Definitely the best one I've seen in terms of rigor. But it is also incredibly... well, it isn't exactly plain english by any stretch :) Probably a good citation/reference, but not a definition I'd want to try to pull into the article? You're welcome to try, though! -LuisVilla (talk) 18:58, 8 November 2013 (UTC)

Older Notes/Comments
It doesn't seem correct to say "how much (damage) can a piece of software do in its default configuration by unauthorized users" - it has nothing to do with "default configuration". One can change the configuration from the default, and now there is new 'attack surface'.

Also, note that the word "damage" (or something like it) is left out of that sentence.

--Rob Cranfill (talk) 15:56, 6 March 2008 (UTC)

This article starts with a very odd definition of Attack Surface. It seems to say the attack surface is the extent of the vulnerabilities in the system, rather than the total of potential places an attack could start. The OWASP definition seems far clearer and more useful, because the whole point is you don't know where the actual vulnerabilities are otherwise you would've fixed them and have "no attack surface" SimonWiseman (talk) 17:46, 30 January 2013 (UTC)

, FYI, I'm starting to work on this page (Attack Surface); addressed both of your comments but would love more help if you have some cycles. -LuisVilla (talk) 20:35, 30 October 2013 (UTC)