Reducing Your Attack Surface Is No Longer Optional Anant Shrivastava Founder Cyfinoid Research

About Cyfinoid ● Research focused cyber security firm ● Major focus areas as of now ● Software Supply Chain ● Web Applications ● Cloud Security https://cyfinoid.com/ © Cyfinoid Research 2

Anant Shrivastava ● Chief researcher @ Cyfinoid Research ● 15+ yrs of corporate exposure ● Speaker / Trainer: BlackHat, Defcon, c0c0n, nullcon & more ● Project Lead: ● ○ Code Vigilant (code review project) ○ Hacking Archives of India (@anantshri on social platforms) https://anantshri.info © Cyfinoid Research 3

How Developers use to write code A developer uses a Chrome extension to manipulate AI prompts, which are then fed into Visual Studio Code through a set of AI-driven code completion extensions. The resulting code is committed to GitHub, where a set of GitHub Actions automatically run analysis and tests. The code is then containerized into a Docker image, deployed on Kubernetes, running inside an EC2 instance, built from a specific AMI. © Cyfinoid Research 4

How developers now write code A developer uses an autonomous AI agent to write code by providing them a one liner prompt and full access to the command line. The resulting code is committed to GitHub, where a set of GitHub Actions automatically run analysis and tests. The code is then containerized into a Docker image, deployed on Kubernetes, running inside an EC2 instance, built from a specific AMI. © Cyfinoid Research 5

Things we all need to worry about Your Biz Dev / HR / Finance person gets an idea, downloads cursor/windsurf/AI IDE, pays for 1 month of subscription by personal card. Uses the IDE to develop the application. Does deployment per AI recommendation in personal vercel / railway or likes. Either get admin to CNAME to a url or just make a url available as direct url in documentation. © Cyfinoid Research 6

Attack Surface The attack surface is the total sum of all reachable ways an adversary can interact with your system : intentionally or unintentionally. • Code you write (endpoints, APIs, binaries) • Configurations you expose (network ports, IAM roles, CI/CD runners) • Data you store, process, or leak (logs, backups, analytics feeds) • Identities that can authenticate or impersonate (users, tokens, service accounts) • Dependencies and integrations you inherit (open-source, SaaS, AI models, APIs) © Cyfinoid Research 7

Current way of handling things • Patch after compromise • Add another scanner • Deploy more layers • Buy another dashboard • Monitor more alerts © Cyfinoid Research 8

Reality of Modern World • AI has lowered the barrier for attackers. • Supply chains are opaque and unmanageable. • Cloud and CI/CD systems now control everything. • Misconfigurations at abstraction layers bypass traditional defenses. © Cyfinoid Research 9

“AI is a multiplier. If you’re a +1 programmer, it can make you a +10. But if you’re at -1, you’re just amplifying bad decisions at scale.” https://blog.anantshri.info/a-rational-survival-guide-to-vibe-coding-with-ai © Cyfinoid Research 10

AI Effect Speed negates the need for efficiency • Faster development turnaround • More feature requests • Lesser testing time allocated • More bugs in the system • More bugs fixed coz of AI • Cycle repeats © Cyfinoid Research 11

AI hallucinating package names https://www.darkreading.com/application-security/ai-code-tools-widely-hallucinate-packages https://arxiv.org/pdf/2406.10279 © Cyfinoid Research 12

AI for Defensive Purposes https://www.darpa.mil/news/2025/aixcc-results © Cyfinoid Research 13

Software Supply Chain • We are about 80% dependent on others for all our software needs © Cyfinoid Research 14

Attack Surface Reduction Lets try a different approach © Cyfinoid Research 15

Attack Surface Reduction Manifesto • Build less. Expose less. Trust less. • The Attack Surface Reduction (ASR) Manifesto is a philosophy-first approach to building resilient systems through subtraction, not accumulation. • Rather than chasing visibility across growing complexity, we advocate for systems that are simpler, smaller, and inherently less attackable. reducetheattacksurface.com © Cyfinoid Research 16

Attack Surface Reduction • Minimal Footprint • More wood behind fewer doors • Less trust boundaries to exploit • Actively reducing the attack surface © Cyfinoid Research 17

Areas of Reduction • Software • Identify and Access Management • Infrastructure • Data © Cyfinoid Research 18

Software Reduction • 1. Minimize Features, APIs, and Endpoints • 2. Internal Reuse Over External Dependence • 3. Shrink Your Build and Toolchain • 4. Limit Codebase Blast Radius • 5. Hardening Through Simplicity © Cyfinoid Research 19

IAM Reduction • 1. Principle of Least Privilege • 2. Human Account Hygiene • 3. Service Identity Discipline • 4. Shadow Access Discovery • 5. Role Explosion Control • 6. Federated Identity Risks • 7. Secret Lifecycle ASR • 8. SaaS and Vendor Identity Exposure © Cyfinoid Research 20

Infrastructure Reduction • 1. Expose Nothing by Default • 2. Reduce Control Plane & Runtime Complexity • 3. Minimalism at the Image and Execution Level • 4. Prune Zombie Infra & Orphaned Services • 5. Reduce Lateral Movement Paths • 6. Runtime Cleanup & Reboot Culture • 7. Infrastructure-as-Code & Deployment Discipline © Cyfinoid Research 21

Data Reduction • 1. Collect Less Data by Default • 2. Reduce Data Retention • 3. Limit Data Propagation and Transformation • 4. Don’t Over-Engineer Analytics © Cyfinoid Research 22

How to convince management • Quantifiable outcome (show me the $$$$$) • Reduced assets results in reduced cost for • Ongoing operation • ongoing security on assets (Compliance formalities) • electricity • data traffic • Any per device license cost • For data : storage cost per mb is a good measure © Cyfinoid Research 23

What next? • Explore your environment • Identify non needed and non used entries • Reduce the attack surface • Revisit the manifesto @ reducetheattacksurface.com © Cyfinoid Research 24

Thanks for listening & open to Questions? NAME WEBSITE anant@cyfinoid.com EMAIL © Cyfinoid Research 25

Trainings & Research Web Application | Cloud | Supply Chain Trainings Attacking Software Supply Chain | Attacking Cloud Environments Contact us at contact@cyfinoid.com (C) Cyfinoid Research © Cyfinoid Research 26