From AI to the supply chain: Why reducing the attack surface is no longer an option
A presentation at Security Days Tokyo in in Tokyo, Japan by Anant Shrivastava
Reducing Your Attack Surface Is No Longer Optional Anant Shrivastava Founder Cyfinoid Research
About Cyfinoid ● Research focused cyber security firm ● Major focus areas as of now ● Software Supply Chain ● Web Applications ● Cloud Security https://cyfinoid.com/ © Cyfinoid Research 2
Anant Shrivastava ● Chief researcher @ Cyfinoid Research ● 15+ yrs of corporate exposure ● Speaker / Trainer: BlackHat, Defcon, c0c0n, nullcon & more ● Project Lead: ● ○ Code Vigilant (code review project) ○ Hacking Archives of India (@anantshri on social platforms) https://anantshri.info © Cyfinoid Research 3
How Developers use to write code A developer uses a Chrome extension to manipulate AI prompts, which are then fed into Visual Studio Code through a set of AI-driven code completion extensions. The resulting code is committed to GitHub, where a set of GitHub Actions automatically run analysis and tests. The code is then containerized into a Docker image, deployed on Kubernetes, running inside an EC2 instance, built from a specific AMI. © Cyfinoid Research 4
How developers now write code A developer uses an autonomous AI agent to write code by providing them a one liner prompt and full access to the command line. The resulting code is committed to GitHub, where a set of GitHub Actions automatically run analysis and tests. The code is then containerized into a Docker image, deployed on Kubernetes, running inside an EC2 instance, built from a specific AMI. © Cyfinoid Research 5
Things we all need to worry about Your Biz Dev / HR / Finance person gets an idea, downloads cursor/windsurf/AI IDE, pays for 1 month of subscription by personal card. Uses the IDE to develop the application. Does deployment per AI recommendation in personal vercel / railway or likes. Either get admin to CNAME to a url or just make a url available as direct url in documentation. © Cyfinoid Research 6
Attack Surface The attack surface is the total sum of all reachable ways an adversary can interact with your system : intentionally or unintentionally. • Code you write (endpoints, APIs, binaries) • Configurations you expose (network ports, IAM roles, CI/CD runners) • Data you store, process, or leak (logs, backups, analytics feeds) • Identities that can authenticate or impersonate (users, tokens, service accounts) • Dependencies and integrations you inherit (open-source, SaaS, AI models, APIs) © Cyfinoid Research 7
Current way of handling things • Patch after compromise • Add another scanner • Deploy more layers • Buy another dashboard • Monitor more alerts © Cyfinoid Research 8
Reality of Modern World • AI has lowered the barrier for attackers. • Supply chains are opaque and unmanageable. • Cloud and CI/CD systems now control everything. • Misconfigurations at abstraction layers bypass traditional defenses. © Cyfinoid Research 9
“AI is a multiplier. If you’re a +1 programmer, it can make you a +10. But if you’re at -1, you’re just amplifying bad decisions at scale.” https://blog.anantshri.info/a-rational-survival-guide-to-vibe-coding-with-ai © Cyfinoid Research 10
AI Effect Speed negates the need for efficiency • Faster development turnaround • More feature requests • Lesser testing time allocated • More bugs in the system • More bugs fixed coz of AI • Cycle repeats © Cyfinoid Research 11
AI hallucinating package names https://www.darkreading.com/application-security/ai-code-tools-widely-hallucinate-packages https://arxiv.org/pdf/2406.10279 © Cyfinoid Research 12
AI for Defensive Purposes https://www.darpa.mil/news/2025/aixcc-results © Cyfinoid Research 13
Software Supply Chain • We are about 80% dependent on others for all our software needs © Cyfinoid Research 14
Attack Surface Reduction Lets try a different approach © Cyfinoid Research 15
Attack Surface Reduction Manifesto • Build less. Expose less. Trust less. • The Attack Surface Reduction (ASR) Manifesto is a philosophy-first approach to building resilient systems through subtraction, not accumulation. • Rather than chasing visibility across growing complexity, we advocate for systems that are simpler, smaller, and inherently less attackable. reducetheattacksurface.com © Cyfinoid Research 16
Attack Surface Reduction • Minimal Footprint • More wood behind fewer doors • Less trust boundaries to exploit • Actively reducing the attack surface © Cyfinoid Research 17
Areas of Reduction • Software • Identify and Access Management • Infrastructure • Data © Cyfinoid Research 18
Software Reduction • 1. Minimize Features, APIs, and Endpoints • 2. Internal Reuse Over External Dependence • 3. Shrink Your Build and Toolchain • 4. Limit Codebase Blast Radius • 5. Hardening Through Simplicity © Cyfinoid Research 19
IAM Reduction • 1. Principle of Least Privilege • 2. Human Account Hygiene • 3. Service Identity Discipline • 4. Shadow Access Discovery • 5. Role Explosion Control • 6. Federated Identity Risks • 7. Secret Lifecycle ASR • 8. SaaS and Vendor Identity Exposure © Cyfinoid Research 20
Infrastructure Reduction • 1. Expose Nothing by Default • 2. Reduce Control Plane & Runtime Complexity • 3. Minimalism at the Image and Execution Level • 4. Prune Zombie Infra & Orphaned Services • 5. Reduce Lateral Movement Paths • 6. Runtime Cleanup & Reboot Culture • 7. Infrastructure-as-Code & Deployment Discipline © Cyfinoid Research 21
Data Reduction • 1. Collect Less Data by Default • 2. Reduce Data Retention • 3. Limit Data Propagation and Transformation • 4. Don’t Over-Engineer Analytics © Cyfinoid Research 22
How to convince management • Quantifiable outcome (show me the $$$$$) • Reduced assets results in reduced cost for • Ongoing operation • ongoing security on assets (Compliance formalities) • electricity • data traffic • Any per device license cost • For data : storage cost per mb is a good measure © Cyfinoid Research 23
What next? • Explore your environment • Identify non needed and non used entries • Reduce the attack surface • Revisit the manifesto @ reducetheattacksurface.com © Cyfinoid Research 24
Thanks for listening & open to Questions? NAME WEBSITE anant@cyfinoid.com EMAIL © Cyfinoid Research 25
Trainings & Research Web Application | Cloud | Supply Chain Trainings Attacking Software Supply Chain | Attacking Cloud Environments Contact us at contact@cyfinoid.com (C) Cyfinoid Research © Cyfinoid Research 26
AI lowers barriers for attackers, supply chains become more complex with invisible dependencies, and security incidents increasingly evade traditional defenses by exploiting misconfigurations and vulnerabilities in abstraction layers. This talk connects the dots between recent cyber trends, from LLM-driven reconnaissance to CI/CD abuse and cloud-based overexposure, and makes a compelling case for making attack surface reduction a fundamental security principle, not an afterthought. In a world of automated threat propagation and hidden risks, reducing exposure may be the most effective measure we can take.
Resources
The following resources were mentioned during the presentation or are useful additional information.
-
ReduceTheAttackSurface
Manifesto Website for Reducing the attack Surface
