Attack Surface Vocabulary
Vocabulary Reference
| Term / Phrase | Meaning in context |
|---|---|
| Attack surface reduction | The practice of removing unnecessary entry points, permissions, and interfaces to decrease the number of places an attacker can attempt to exploit. |
| "exposed endpoints" | APIs, interfaces, or services accessible to untrusted parties — each exposed endpoint is part of the attack surface and must be assessed and minimised. |
| "unnecessary permissions" | Access rights granted beyond what a user or service needs for its function — a common source of attack surface expansion and a target for reduction. |
| Principle of least privilege | Every user, service, and process should operate with the minimum access rights needed to perform its function — and no more. |
| "this increases the attack surface" | Standard phrase used in architecture and code reviews to flag that a proposed change adds new entry points or permissions that could be exploited. |
| Attack vector | The specific path or method an attacker uses to reach and exploit a vulnerability — each exposed endpoint is a potential attack vector. |
1. During a code review, a developer proposes adding a public endpoint that returns detailed server configuration data to help with debugging. The security reviewer responds: "This increases the attack surface by exposing ___." Which phrase correctly completes the reviewer's sentence?
2. A service account used only to read from a single database table has been given admin rights to the entire database server. The security team flags this in a review. What principle does granting admin rights violate?
3. The team removes a legacy admin panel that is no longer used, closes three firewall ports left open from an old integration, and revokes 14 service accounts with no recent activity. How would a security architect describe what the team is doing?
4. In a design review, the architect says: "The mobile app currently has 12 exposed endpoints. We should review each one and ask whether it needs to be public or can be restricted to authenticated users or internal services only." What is the architect recommending?
5. A junior developer asks why the CI pipeline service account cannot have write access to all repositories — it would be simpler to configure. The lead engineer responds: "We apply the principle of least privilege because ___." Which explanation best completes this sentence?
Exercise complete!
out of 5 questions