Advanced Security #attack-surface #blast-radius #least-privilege #dependencies

Attack Surface

5 exercises — master attack surface vocabulary: what the attack surface is and how to reduce it, blast radius analysis, unprotected internal east-west APIs, legacy endpoint risk, and the priority level of privilege minimisation and dependency hygiene.

0 / 5 completed

Attack surface quick reference

Attack surface — sum of all entry/exit points an attacker can interact with: APIs, ports, inputs, privileged processes, dependencies, admin interfaces.
Attack surface reduction — remove unused ports/services/endpoints; restrict network access; least privilege; minimise dependencies.
Blast radius — maximum damage if a component is fully compromised; determined by its IAM permissions, network reachability, and secrets held.
East-west traffic — internal service-to-service traffic. Without mTLS + authorisation policies, a compromised service can freely call any other internal API.
Legacy endpoints — no monitoring, outdated auth, no security testing. Security through obscurity is not a control. Audit and remove them.
Privilege minimisation — least-privilege IAM roles, scoped DB users, no wildcard policies. Limits blast radius of any compromise.
Dependency hygiene — patch CVEs immediately; use Dependabot/Renovate; maintain SBOM; lock file every project.

1 / 5

A security architect says: "Before we can protect the system, we need to understand our attack surface. What's our attack surface, and why does reducing it matter?"

Attack surface — the attack surface is everything an attacker can interact with. Reducing it is one of the most cost-effective security improvements.

Attack surface categories:

Category	Examples	Reduction strategy
Network entry points	Open ports, protocols (SMTP, RDP, SSH), load balancer rules	Firewall allowlists; disable unused services; network segmentation
Application entry points	REST/GraphQL APIs, form inputs, file uploads, URL parameters	Input validation; rate limiting; authentication on all endpoints
Privileged processes	Root processes, SUID binaries, services running as admin	Least privilege; run as low-privilege user; drop capabilities after init
Admin / management interfaces	Admin dashboards, SSH, database consoles, cloud management APIs	Restrict to VPN/bastion; MFA; separate admin network
Third-party dependencies	npm packages, Docker base images, SDK integrations	Dependency auditing; pin versions; minimal base images
Human attack surface	Phishing targets, social engineering, privileged user accounts	Security awareness training; MFA; privileged access workstations

Why attack surface reduction is high-value:
Every removed entry point is a vulnerability you can never have — even if the code behind it had no bugs. Reducing attack surface is different from fixing vulnerabilities: it eliminates entire classes of attacks before they can be attempted.

Internal microservices DO contribute to attack surface:
• Lateral movement: if an attacker compromises one service, internal services reachable from that service become the next stage attack surface
• Supply chain attacks can compromise internal services directly (e.g., a dependency backdoor executing in the internal network)
• Each internal service-to-service call is a lateral movement opportunity; mTLS + service-to-service authorisation reduces internal attack surface

Key vocabulary:
• Attack surface — the sum of all entry/exit points, interfaces, and components an attacker can interact with or exploit
• Attack surface reduction — the practice of removing unnecessary functionality, closing unneeded ports/services, and minimising exposed interfaces
• Entry point — any interface through which an attacker can introduce input into the system
• Lateral movement — an attacker's progression from an initially compromised system to other systems within the network
• Least privilege — granting only the minimum permissions needed to perform a function; reduces the damage of any compromise

2 / 5

During a security review, an engineer asks: "How do we measure the blast radius of a compromise? If our payment service gets compromised, what can the attacker reach?"

Blast radius analysis — asking "if this component is compromised, what's the worst case?" is a powerful lens for prioritising security controls.

Blast radius analysis checklist for a microservice:

□ What database tables can this service's DB user SELECT/UPDATE/DELETE?
□ What AWS/Azure/GCP IAM role does this service run with?
  - Can it access S3 buckets beyond its own?
  - Can it assume other roles (sts:AssumeRole)?
  - Can it call other cloud services (SNS, SQS, Secrets Manager)?
□ What secrets are mounted/injected into this service?
  - API keys for third parties?
  - Credentials for other internal services?
□ What network routes exist from this service?
  - Can it reach other microservices directly?
  - Can it make outbound internet requests?
□ If the container is escaped, what host access exists?
  - Is it running privileged?
  - Are host volumes mounted?

Blast radius reduction techniques:
• Scoped IAM roles — payment service gets an IAM role with only the S3 prefix it needs; cannot access other services' buckets
• Database row-level security — each service's DB user can only access its own schemas/tables
• Secret scoping — API keys should have minimum permissions (e.g., a read-only Stripe key for the display layer, not the write key)
• Network policies — Kubernetes NetworkPolicy / AWS Security Groups restrict which services can communicate; internal network segmentation
• Egress restriction — services should only be able to make outbound calls to approved destinations; prevents data exfiltration to attacker-controlled hosts
• Container hardening — run as non-root, read-only filesystem, no privileged containers, drop all Linux capabilities then add back only needed

Example blast radius comparison:

Design	Blast radius if payment service compromised
Bad (overpermissioned)	Full DB access, all S3 buckets, all secrets, outbound internet, all services reachable
Good (scoped)	Payment DB only, payment S3 prefix only, own secrets only, egress to payment gateway only, isolated network namespace

Key vocabulary:
• Blast radius — the maximum damage achievable if a specific component is fully compromised; determined by its access, permissions, and network reachability
• IAM role scoping — assigning the minimum cloud IAM permissions a service needs; limits blast radius to only the resources the service legitimately accesses
• Egress restriction — blocking outbound network connections from a service to anything other than approved destinations; prevents data exfiltration
• Secret scoping — using separate API keys/credentials with minimum permissions for each service rather than shared high-privilege credentials

3 / 5

A cloud architect presents a new microservices design and says: "Every service is exposed as an internal REST API. The services call each other directly — no service mesh, no API gateway for internal traffic."

A security engineer raises concerns about internal attack surface. What is the core concern?

East-west (internal service-to-service) traffic is as important to secure as north-south (external) traffic. Unprotected internal APIs assume perfect perimeter security — a dangerous assumption.

Internal attack surface without service mesh:

Attacker compromises: notification-service
Notification service can call:
  → payment-service /process (no auth check — it's "internal")
  → user-service /users/{id} (dump all users)
  → admin-service /config (change system configuration)
  → order-service /orders (read all orders)
  
Without service mesh: ALL of these calls succeed.
The attacker has moved from a low-value notification service
to full system access.

Service mesh security capabilities:
• Mutual TLS (mTLS) — every service-to-service call is authenticated with certificates; services prove their identity to each other
• Authorisation policies — e.g., "payment-service can call order-service /orders GET, but notification-service cannot"
• Circuit breaking — limits blast radius of a compromised service flooding downstream services
• Observability — every internal call is traced; anomalous call patterns (notification-service calling payment-service) trigger alerts

Alternative: internal API gateway approach
Route all internal service-to-service calls through an internal API gateway that enforces: • Service identity (API key or mTLS certificate)
• Authorisation policies per service pair
• Rate limiting (prevents one compromised service from flooding another)
• Request logging for forensics

Zero-trust east-west model:
Each service assumes it may be reached by a compromised caller. Every API call requires: (1) authenticated identity (who is calling?), (2) authorised action (is this caller allowed to do this?), (3) minimum data response (return only what the caller needs). This is zero-trust applied to internal traffic.

Key vocabulary:
• East-west traffic — network traffic between services within the same data centre or cluster; as opposed to north-south (external traffic)
• Service mesh — infrastructure layer for service-to-service communication providing mTLS, authorisation, tracing, and traffic management; examples: Istio, Linkerd, Consul Connect
• mTLS (mutual TLS) — TLS where both client and server authenticate each other with certificates; used for service-to-service identity verification
• Zero-trust east-west — applying zero-trust principles to internal traffic: every internal API call must be authenticated and authorised, regardless of network location

4 / 5

A new developer joins the team and asks: "We have a lot of legacy endpoints in the API that nobody seems to use anymore. My manager says to leave them in for backward compatibility. From a security perspective, is that OK?"

Legacy endpoints are high-risk attack surface because they combine: lack of visibility (nobody monitors them), outdated controls (built before current security standards), and potential exploitability (old vulnerabilities that were never patched because nobody thought to).

Why "nobody uses it" is not a safety argument:
• Attackers use scanners and historical API documentation to discover endpoints
• Web Archive (archive.org/Wayback Machine) preserves old API documentation permanently
• Source code repositories may have leaked the endpoint paths publicly (GitHub commit history)
• Internal tools or scripts you're not aware of may still use the endpoint (dependency tracking problem)
• Compliance auditors will flag unmonitored, untested endpoints regardless of usage level

Legacy endpoint risk factors:

Risk factor	Why legacy endpoints have this risk
No active monitoring	Alerts and dashboards focus on current endpoints; attacks to legacy endpoints go undetected
Outdated auth	May use older session tokens, API keys with no expiry, or no auth at all
No security regression testing	Not included in current security test suites; unpatched vulnerabilities remain
No rate limiting	Often added to new endpoints; legacy endpoints may pre-date rate limiting infrastructure

Recommended handling:
1. Audit — use API gateway logs to identify endpoints with zero traffic in the last 90 days
2. Validate — check with stakeholders whether any downstream consumers still use the endpoint
3. Deprecate formally — set a deprecation date; notify consumers (if any)
4. Remove when the deprecation window passes; a 404 is better than an unmonitored endpoint
5. Interim security hardening if immediate removal is impossible: add authentication, add rate limiting, add monitoring alerts

Security through obscurity fallacy:
A security control that relies only on an attacker not knowing something (undocumented endpoint, obscure API path, proprietary algorithm) is not a valid security control. Obscurity may delay an attacker by hours; authentication, authorisation, and validation stop them regardless of discovery.

Key vocabulary:
• Dead code / legacy endpoint — functionality that is no longer part of the intended product but remains in the codebase; represents unmaintained attack surface
• Security through obscurity — a flawed approach to security that relies on hiding information rather than implementing authentication/authorisation controls
• API surface audit — systematic enumeration of all live API endpoints, their authentication requirements, and traffic patterns; identifies unused and undocumented endpoints
• Endpoint deprecation — formal process of announcing an endpoint will be removed, with timeline and consumer migration support; part of responsible API lifecycle management

5 / 5

A security engineer says: "We can significantly reduce our attack surface by applying privilege minimisation and dependency hygiene — but we're treating this as optional nice-to-have work. Is that the right priority level?"

Privilege minimisation and dependency hygiene are not "nice to have" — they are foundational controls that prevent the most common attack classes that lead to breaches.

Why overprivilege enables real breaches:
• CVE-2019-3403 (Confluence server): attacker exploited app server with admin IAM role → dumped all S3 buckets in the account
• Capital One breach (2019): SSRF vulnerability + overprivileged EC2 metadata role → attacker exfiltrated 100M credit card records
• Pattern: vulnerability provides code execution; privilege determines impact. Reducing privilege limits damage even when vulnerabilities exist.

Dependency hygiene failures leading to real breaches:
• Log4Shell (CVE-2021-44228): JNDI injection in log4j 2.x → remote code execution; affected millions of Java applications using the vulnerable version
• XZ Utils backdoor (2024): malicious maintainer compromised supply chain of widely-used compression library
• npm typosquatting: hundreds of packages with names ≈ popular packages with added malware
• Attackers actively scan GitHub for organisations using recently-published vulnerable dependency versions

Priority framework for attack surface work:

Activity	Priority	Why
Patch known critical vulnerabilities in deps	Immediate	Active exploit kits available; scanners deploy these in hours
Remove wildcard IAM policies	High	Any compromise of an overprivileged service = maximum blast radius
Dependency version pinning + automated updates	High	Supply chain attacks exploit unlocked transitive deps
Remove legacy/unused endpoints and services	Medium-high	Discovered by automated scanners; unmonitored = undetected attack

Making dependency hygiene systematic:
• Dependabot / Renovate: automated PRs when dependencies have new versions or known CVEs
• Software Bill of Materials (SBOM): machine-readable inventory of all dependencies for rapid assessment of new CVEs
• Lock files (package-lock.json, poetry.lock): prevent transitive dependency version drift
• Container image scanning: Trivy, Snyk, AWS ECR scanning for OS-level CVEs in base images

Key vocabulary:
• Privilege minimisation — the practice of granting the minimum permissions necessary to each service, user, and process; reduces blast radius
• Dependency hygiene — maintaining up-to-date, reviewed, and unpinned-free dependencies; prevents supply chain attacks via known vulnerabilities
• SBOM (Software Bill of Materials) — a machine-readable inventory of all software components and dependencies in a system; enables rapid vulnerability assessment
• Wildcard IAM policy — an overly broad cloud permission (e.g., s3:* or *:*) that grants far more access than needed; a common source of excessive blast radius
• Supply chain attack — an attack that compromises a software dependency, build tool, or distribution mechanism used by the target, rather than attacking the target directly