SA-11(6): Attack Surface Reviews

CSF v1.1 References:


(Not part of any baseline)

Previous Version:

Control Statement

Require the developer of the system, system component, or system service to perform attack surface reviews.

Supplemental Guidance

Attack surfaces of systems and system components are exposed areas that make those systems more vulnerable to attacks. Attack surfaces include any accessible areas where weaknesses or deficiencies in the hardware, software, and firmware components provide opportunities for adversaries to exploit vulnerabilities. Attack surface reviews ensure that developers analyze the design and implementation changes to systems and mitigate attack vectors generated as a result of the changes. The correction of identified flaws includes deprecation of unsafe functions.