Bhushan B. Gupta

Gupta Consulting (USA)

Targeting the Attack Surface to Improve Web Application Security and Safety

Web application security encompasses data Confidentiality, Integrity, and Availability (CIA). In general and especially in the healthcare industry, the data can be Personal Identifiable Information (PII), health records, or any other entity that is a valuable target to the hacker. In the case of health data there has been a significant rise in ransomware attacks compromising the security and therefore safety of all. A breach in healthcare data can lead to a misdiagnosis by a doctor, an inaccurate dispensing of the medicine by a nurse, or a wrong prescription by a pharmacist jeopardizing patient’s safety  because, the patient’s records have been hijacked or their integrity has been compromised.


Not all the data elements stored by an application may be valuable targets to a hacker. The security of an application is represented by the vulnerability of these targets and can be quantified by estimating the attack surface. 


Existing threat modeling methods such as STRIDE (Spoofing, Tempering, Repudiation, Information Disclosure, and Denial of Service) and tools such as ZAP (Zed Attack Proxy) are capable of analyzing the vulnerability of your application. Most of these techniques are based upon the technology used to build the site and overall characteristics of the site. However, they do not approach the attack surface using the concept of targets and the attack vectors a hacker can pursue.


A robust approach as presented in this talk would be to understand the target value of the data an application contains. In light of the 80/20 Pareto Principle and the evergreen true statement that there is never enough time, this presentation discusses an approach where the targets are examined and ranked by value on a linear scale.  Once the targets have been ranked, an estimation of the penetration effort is made by considering the enablers to penetrate, channels available to the hacker, and the controls (or the lack there of) to quantify the attack surface. This method is not only flexible in that algorithms other than linear ranking can be used, but also scalable especially for the agile development where the attack surface can be measured iteration by iteration and release by release thereby continually improving the applications security. The presentations illustrates the approach by example and includes a discussion on the data and system processes to strengthen the safety that can be compromised by a security breach.

Bhushan B. Gupta

An international speaker, a proven champion for quality and well-versed with software quality engineering, and a WebApp security researcher, Bhushan is the principal consultant at Gupta Consulting, LLC. In WebApp security his research areas are; infusing security in SDLC, OWASP Top10, Risk Analysis and Mitigation, Attack Surface Measurement, and Static and Dynamic Application Security Analysis. As a leader of Open Web Application Security Project (OWASP) Portland Chapter, he is dedicated to driving the web application security to higher levels via technical education and training. Bhushan often provides training workshops and presentation to corporations and non-profit organizations. He is also an invited speaker and a panelist in discussions for both application security and agile software development. Bhushan serves as a board member of Pacific Northwest Software Quality Conference and was the Program Chair for PNSQC2022. He has also been a member of the Program team for the OWASP Global AppSec Conference 2020.