Part 2 of the Attack Surfaces series

The application attack surface includes everything from off-the-shelf software to custom-built applications from in-house development teams. Off-the-shelf software can be affected by misconfigurations or published CVEs which may have proof-of-concept or full-fledged exploits publicly available. Custom-built applications can suffer from a range of unique (or not so unique) flaws in code or architecture. Building enterprise applications is hard!

The 2024 Verizon Data Breach Investigations Report (DBIR) has great stats on breach entry point. In 2023, exploitation of vulnerabilities as the critical path action initiating a breach increased 180% (this includes both applications + infrastructure vulnerabilities). The DBIR called out the MOVEit application vulnerability as a specific driver of this increase.

Exposed Applications Introduce Risk

Applications exposed to the internet (intentionally or inadvertently) are particularly attractive targets. Development teams may frequently spin up publicly accessible test servers like Jenkins for testing or for one-off projects. If these servers are left exposed when no longer needed, they become ripe for compromise. This problem multiplies in large organizations where individual teams may operate with autonomy. See Microsoft’s post-mortem on its breach in late 2023 - the attack targeted and compromised a “legacy non-production test tenant account.”

“Shadow IT” applications adopted outside normal procurement channels can also expand the application attack surface in ways that are difficult for centralized security teams to quantify and control. Without visibility into all applications, organizations struggle to maintain a complete inventory and identify risks.

New Vulnerabilities Create a Race to Patch

Even well-known and trusted applications can introduce risk when new vulnerabilities emerge. High-severity flaws discovered in popular platforms like Exchange or SharePoint create a scramble to identify affected assets and deploy patches before attackers can exploit them.

If an unpatched application is compromised, incident responders must rapidly assess the blast radius to determine what data and systems may be impacted. This triage process becomes much more challenging when asset inventories are incomplete or out of date. Every minute counts in the race to contain an incident.

Third-Party Integrations Extend the Attack Surface

Applications provided by third-party vendors add another facet to the attack surface. Vendors may obtain access to aliased subdomains on an organization’s primary domain during the sales process or implementation. If the relationship ends but the aliased subdomain is not properly reclaimed, attackers can register that domain and host malicious content, exploiting users’ trust in the organization.

Since the links would use the organization’s primary domain name (e.g. ouroldinstance.examplecompany.com), they appear trustworthy to users, making these attacks especially effective. Forgotten third-party applications and integrations are an often-overlooked corner of the attack surface that deserves scrutiny.

Proactively Discover and Mitigate Risks

Effective management of an organization’s application attack surface is separate from managing the risk of each application individually. To effectively manage application attack surface risks, we recommend a proactive approach:

  • Create (and then maintain) accurate and up-to-date inventories of all applications
  • Implement processes to continually discover new applications and integrations
    • Scan company-owned IPs, domains, and cloud accounts for un-inventoried applications (knowing that this will not find some shadow IT)
  • Assess the business need and criticality of each application
  • Prioritize patching based on exploit risk and potential impact
  • Perform regular automated or manual security testing (commensurate with the risk of each application) to identify vulnerabilities
  • Use appropriate web application firewalls and keep thorough read-only logs to make exploitation more difficult and to provide helpful evidence in the case of successful exploitation
  • Evaluate third-party software for secure development practices prior to adoption

By understanding your application portfolio and adopting an attacker mindset, you can focus your defenses on the most likely avenues of compromise. Proactive application discovery and mitigation can help systematically reduce risk and mitigate blast radius expansion in the event of an application compromise.