Surface Monitoring is a leading external attack surface management (EASM) product aimed at identifying, assessing, and prioritizing web vulnerabilities. This new category of cybersecurity products provides a layer of protection that was previously unavailable to organizations due to a lack of automation and tools. Surface Monitoring was conceived based on the success of a previous security product from Detectify that had been in the market since 2015.

The attack surface is an organization’s digital exposure that an attacker could exploit to get unauthorized access to a system and extract data or other sensitive information. It could also be used as a point within a chain of attacks. As Organizations increasingly rely on SaaS services and products, the digital attack surface is more than the firewall and network.

The vulnerabilities page allows you to see all findings across your attack surface. This includes simple filters that let you specify what you want to focus on, including the level of severity, which domains you want to look at, and whether it was found in the past week or the past month.

Included by Gartner in 2021 as a major cybersecurity category and an emerging product, the External Attack Surface Management (EASM) term might be new. Still, the idea behind it is nothing new: identifying risks coming from internet-facing assets that an organization may be unaware of. A few companies, including Detectify, have been highlighting the importance of the attack surface and understanding the potential risks of the constantly-changing environment.

Remediating vulnerabilities efficiently is the cornerstone of a great vulnerability management program. Prioritizing becomes paramount as resources are often limited. Sometimes teams might pinpoint specific vulnerability types that are particularly risky for their attack surfaces, such as a misconfigured Amazon S3 bucket or even a new XSS vulnerability. Users can now filter the /Vulnerabilities view by title, such as a specific type of XSS or even the CVE name.

When Algolia’s security program manager Regina Bluman ran a Twitter poll to see how many people within the security industry understood the concept of EASM, she didn’t expect that the term is far from being on an IT security team’s radar. Moreover, most were not even aware of it.

The attack surface is inevitably going to grow. That’s why we believe it’s crucial for customers to not only know what assets they are exposing online but knowing to what extent assets are exposed. Users can now toggle the view of their attack surface by active and inactive assets. When toggled on, users will see all active assets present on their attack surface in the last 14 calendar days making it easier to discern what may no longer be on the attack surface.

When I look at IT security I can clearly see how it has changed, being today much more mature now than it’s ever been. Governments are working on policies and legislation forcing companies to prioritize IT security. As a result, the entire bug bounty community has bloomed in a way that I could never imagine, security researchers are now working together with companies to identify and mitigate vulnerabilities in a way that we have never done before.

Our security researchers, engineers, and our Crowdsource community are actively working on understanding the vulnerabilities and developing tests. We have received a dozen POCs already and anticipate more over the coming days. While the situation is rapidly developing, here is what we know so far. The Spring Cloud Function vulnerability (CVE-2022-22963) was disclosed and patched earlier this week.

Detectify’s Surface Monitoring is the easiest way to monitor and manage your attack surface on the market. This product continuously monitors the configuration and attack surface of your domains and subdomains. It came from the realization that Application Scanning, our other product, is very detailed. Application scanning tries to find every nook and cranny of your application through crawling and fuzzing which is exactly what companies need for custom-built applications.