Attack surface management (ASM) is a somewhat confusing topic that starts with a fundamental question: What exactly is the attack surface? In reality, it’s everything—internal assets, external corporate assets, third-party assets, people, everything. That said, the emerging attack surface management category focuses on internet-facing assets alone. Hmm, just another day in the perplexing cybersecurity realm.
Now, just because attack surface management tools track only internet-facing assets doesn’t make ASM easy. Large organization often have thousands, tens of thousands, or more internet-facing assets, including websites, sensitive data, employee credentials, cloud workloads, S3 buckets, source code fragments, SSL certificates, and so on.