Attack Surface Management vs Vulnerability Management

What is Vulnerability Management?

Vulnerability management is one of the many processes that make up an effective business security strategy. Through the identification of possible weaknesses within a business’ assets (networks, applications, etc.), teams will then assess and prioritise these vulnerabilities with an aim of remediating and/or mitigating them to prevent security breaches and reduce overall risk.

There are a number of ways that organisations can implement vulnerability management:

• Contracting third-party security auditors, penetration testers, or consultants.
• Vulnerability scanning for automated detection.
• In-house security teams dedicated to internal penetration testing or security reviews.

Third-party penetration testing is an excellent method of gaining an impartial “attacker’s perspective” view of your security posture through simulated attack scenarios. However, this can become expensive or difficult to justify for smaller business, such as start-ups, or those that undergo a constant rate of change.

Vulnerability scanning can be a relatively low-cost method of detecting and tracking known vulnerabilities. This is where a scanner will have a repository of “checks” that it will perform against different target assets to determine if it, or its services, are vulnerable to pre-existing weaknesses. Internal security teams that utilise regular vulnerability scans and remediate or mitigate the discovered weaknesses can significantly reduce the risk of security breaches occurring.

One of the downsides of vulnerability scanning is that the results of the scans are often exported/downloaded and shared internally within the business in spreadsheets. If multiple teams are working on remediating issues this workflow can become cumbersome, have conflicts, or the information in these “offline” copies can be difficult to read and track over time.

What is Attack Surface Management?

Attack Surface Management (ASM) is somewhat of an evolution of a vulnerability management process where the aim is to continually discover, monitor, and then secure possible entrypoints that an attacker may target. This could be External Attack Surface Management (EASM) and/or Internal Attack Surface Management (IASM).

Proactively identifying security vulnerabilities (such as source code vulnerabilities, software misconfiguration, shadow IT, cloud services weaknesses, and more) as an integrated process, through development pipelines and the provisioning of infrastructure, can bring awareness of these issues to you before attackers have the opportunity to exploit them.

Implementing an attack surface management workflow could include:

• Utilising strict code reviews, testing, and/or CICD code scanning tools to identify weaknesses during the development process.
• Port scanning perimeter networks from an external system to discover exposed services and track open services over time.
• Running dynamic application security testing (DAST) software to detect application vulnerabilities at runtime (either authenticated or unauthenticated).
• Auditing cloud services to track and compared discovered and expected resources.
• Replicating attacker/pentest style open-source intelligence gathering (OSINT) such as certificate transparency monitoring, search engine discovery, page scraping, and so forth.

The goal of ASM is to understand the exposure of business assets to start to answer the question “What assets exist that I don’t know about and how exposed are they?”.

What are the differences between Attack Surface Management and Vulnerability Management?

Though attack surface management and vulnerability management have some overlap, their purposes address different questions for an organisation. Vulnerability management is more about identifying and remediating weaknesses in known assets and how teams will collaborate to achieve this. Attack surface management focuses on the discovery and monitoring from an attacker’s point of view, both the already known business assets and those that may be unknown to the organisation.

Both vulnerability management and attack surface management can work in parallel to cover both reactive and proactive methodologies to cyber risk management.