Attack Surface Management vs Vulnerability Management

What is Vulnerability Management?

Vulnerability management is one of the many processes that make up an effective business security strategy. Through the identification of possible weaknesses within a business’ assets (networks, applications, etc.), teams will then assess and prioritise these vulnerabilities with an aim of remediating and/or mitigating them to prevent security breaches and reduce overall risk.

There are a number of ways that organisations can implement vulnerability management:

• Contracting third-party security auditors, penetration testers, or consultants.
• Vulnerability scanning for automated detection.
• In-house security teams dedicated to internal penetration testing or security reviews.

Third-party penetration testing is an excellent method of gaining an impartial “attacker’s perspective” view of your security posture through simulated attack scenarios. However, this can become expensive or difficult to justify for smaller business, such as start-ups, or those that undergo a constant rate of change.

Vulnerability scanning can be a relatively low-cost method of detecting and tracking known vulnerabilities. This is where a scanner will have a repository of “checks” that it will perform against different target assets to determine if it, or its services, are vulnerable to pre-existing weaknesses. Internal security teams that utilise regular vulnerability scans and remediate or mitigate the discovered weaknesses can significantly reduce the risk of security breaches occurring.

One of the downsides of vulnerability scanning is that the results of the scans are often exported/downloaded and shared internally within the business in spreadsheets. If multiple teams are working on remediating issues this workflow can become cumbersome, have conflicts, or the information in these “offline” copies can be difficult to read and track over time.

What is Attack Surface Management?

Attack Surface Management (ASM) is somewhat of an evolution of a vulnerability management process where the aim is to continually discover, monitor, and then secure possible entrypoints that an attacker may target. This could be External Attack Surface Management (EASM) and/or Internal Attack Surface Management (IASM).

Proactively identifying security vulnerabilities (such as source code vulnerabilities, software misconfiguration, shadow IT, cloud services weaknesses, and more) as an integrated process, through development pipelines and the provisioning of infrastructure, can bring awareness of these issues to you before attackers have the opportunity to exploit them.

Implementing an attack surface management workflow could include:

• Utilising strict code reviews, testing, and/or CICD code scanning tools to identify weaknesses during the development process.
• Port scanning perimeter networks from an external system to discover exposed services and track open services over time.
• Running dynamic application security testing (DAST) software to detect application vulnerabilities at runtime (either authenticated or unauthenticated).
• Auditing cloud services to track and compared discovered and expected resources.
• Replicating attacker/pentest style open-source intelligence gathering (OSINT) such as certificate transparency monitoring, search engine discovery, page scraping, and so forth.

The goal of ASM is to understand the exposure of business assets to start to answer the question “What assets exist that I don’t know about and how exposed are they?”.

What are the differences between Attack Surface Management and Vulnerability Management?

Though attack surface management and vulnerability management have some overlap, their purposes address different questions for an organisation. Vulnerability management is more about identifying and remediating weaknesses in known assets and how teams will collaborate to achieve this. Attack surface management focuses on the discovery and monitoring from an attacker’s point of view, both the already known business assets and those that may be unknown to the organisation.

Both vulnerability management and attack surface management can work in parallel to cover both reactive and proactive methodologies to cyber risk management.

	Vulnerability Management	Attack Surface Management
Primary Question	“What vulnerabilities exist in our environment?”	“What does my organisation expose to the internet/internally?”
Perspective	Defender-centric	Attacker-centric
Dependencies	Assumes assets are already known and inventoried. Relies on an accurate asset inventory	Actively discovers unknown, forgotten, and unmanaged assets. Builds and validates an asset inventory
Scope	Internal systems, externally facing systems, cloud services, applications	Primarilly externally facing systems, cloud services, applications, and internal systems
Change Detection	Point in time	Near real-time
Discovery	Scheduled or periodic scanning/testing	Continuous automated discovery
Typical Output	Vulnerability lists, PDFs, spreadsheets, severity scores, remediation tasks	Asset inventory, exposure details, risk context

How can the Attack Surface Center help?

The Attack Surface Center is a platform purpose built to support organisations’ understanding and improvement of their security posture by bringing the tools you need to perform both vulnerability management and attack surface management. By bringing together common features such as vulnerability scanning with asset discovery, you can start to piece together your understanding of your organisation’s exposure.

Furthermore, your teams no longer need to work in isolation to achieve the goal of improving security; through the Risk Register you can log, track, and work collaboratively to understand and reduce business risk.

Security and IT teams will benefit from the Attack Surface Map, which visualises the exposure of assets and services both internally and externally, with the ability to highlight those assets that are most at risk.

See our individual feature pages below for more information: