Last month, I was in Las Vegas for Defcon 32. And like many attendees, I was navigating the Las Vegas Convention Center for the first time. That is where I first encountered the Vegas Loop.
Picture this: You are trekking through acres of Las Vegas parking lots, the black asphalt radiating the sweltering August heat. Ahead, you see a stairway leading underground. Could this be a mirage, or is it the portal to hell itself?
As you descend the stairs, you encounter an underground room that feels semi-familiar, like a subway station. But instead of hearing the expected rumble of subway cars, there's nothing but the noises of Tesla electric cars appearing and then quietly whisking passengers into the lighted, circular tunnels.
These Teslas have human drivers behind the wheels today. But the Vegas Loop is an example of Attack Surface Reduction (ASR). It is easy to see how this model could enable a future of safe autonomous vehicles. And it has practical lessons you can use to reduce security risks in novel ways.
Attack Surface Reduction isn't about making systems smaller or simpler. It's about smart design choices that eliminate vulnerabilities before they can be exploited. It's the security equivalent of choosing to fight your battles on favorable terrain.
The goal is to reduce exposure to attack. In the early days of computing, ASR was as simple as closing unnecessary ports or disabling unused services. But as our product architectures have grown more complex, so too has the discipline of ASR. Microsoft's Security Development Lifecycle (SDL) brought ASR to the forefront of threat modeling, solidifying it as a fundamental principle of secure design.
In the surface world, autonomous vehicles grapple with a complicated mess of variables: unpredictable pedestrians, cyclists, surprise construction zones, and the ever-present threat of human error from other drivers.
However, in the controlled environment of the Vegas Loop, many of those threats vanish, as if Thanos had snapped his fingers. By moving these vehicles underground, they have created an environment friendly to autonomous vehicles through a creative application of attack surface reduction. The move eliminated the chaos, leaving behind a simplified, predictable environment where autonomous vehicle can safely operate in the future. The vehicles I rode in were all human-operated, but they plan to move to a fully autonomous mode in the future.
The Vegas Loop isn't the only place where ASR is applicable. Let's explore a few more examples that showcase the advantages of this approach:
Each of these examples embodies the core principle of ASR: don't just manage risks—eliminate them entirely wherever possible.
Unfortunately, many engineers fail to perform ASR, and therefore miss one of the best opportunities to secure their products. Here are 3 reasons people fail to do this important work:
Fortunately, there is a path forward. I'm going to explain how you can address each of these 3 challenges with actionable steps.
Let's dive in.
Shift-left efforts sometimes fall short, leaving security teams scrambling to perform last-minute reviews before launch. At that point, it can be difficult to impact the product in meaningful ways. When this happens, focus on building relationships with the teams and people who can pull you into design conversations earlier. Here is a list of teams to jump start your list:
To make it easy for these teams to include you:
Teach them to ask the tough questions: Do we really need to store social security numbers? Does that new vendor really need full access to the entire customer database? By asking the tough questions early, you can often reduce the attack surface before it forms.
One of Amazon's leadership principles is, disagree and commit. Like most of Amazon's leadership principles, it has tension built in. Disagree and commit are opposites. Here's where it matters when pushing back or disagreeing about product designs.
When you see security red flags in designs, you have a responsibility to speak up. Your customers are counting on you to have a backbone and speak up. They are counting on you to be their advocate.
But the way you disagree is important:
If the business makes a decision to proceed despite your concerns, be prepared to commit—but do so strategically.
Committing doesn't mean giving up. There's an effective way to commit. There are a few anti-patterns you should avoid:
Instead, have a Plan B ready. The goal is to reduce the risk as much as possible. This might include implementing additional WAF rules, improving monitoring and alerting, or devising a plan with an option for quick rollback if issues arise.
By disagreeing constructively and committing strategically, you position yourself as a problem-solver rather than a roadblock. This protects your career and helps you build influence and trust.
At one time you could trace your entire infrastructure by following network cables from physical servers to network switches and firewalls in datacenter racks that you own or lease. Those days are long gone. Today's architectures are virtual, highly distributed, and dynamic. But, there are tools to help you navigate:
OWASP Attack Surface Detector (ASD) - ASD is a Burp Suite plugin. It uses static analysis (source code required) to find hidden endpoints and parameters. You can read more about it here.
OWASP Amass - Amass is a framework that helps you discover network attack surfaces and external assets using open source intelligence gathering and reconnaissance. You can read more about it here.
ThreatMapper - Threatmapper is an open source cloud native application protection platform. It also produces a threat graph, which can be helpful for mapping your attack surface. You can learn more about it here.
By leveraging these tools, you can begin to piece together a comprehensive map of your architecture, identifying potential weak points and unnecessary attack surface alone the way.
Every year, we hear about breaches caused by forgotten, unknown, unmonitored, or simply unnecessary assets. These are the equivalent of leaving the back door unlocked—and they are entirely preventable through attack surface reduction.
Please let me know what you think.
Here are a few resources to help you dive deeper: