It is targeted to be used by developers to understand and manage application security risks as they design and change an application, as well as by application security specialists doing a security risk assessment. The focus here is on protecting an application from external attack - it does not take into account attacks on the users or operators of the system (e.g. malware injection, social engineering attacks), and there is less focus on insider threats, although the principles remain the same. The internal attack surface is likely to be different to the external attack surface and some users may have a lot of access. The Attack Surface describes all of the different points where an attacker could get into a system, and where they could get data out. The Attack Surface of an application is:1.The sum of all paths for data/commands into and out of the application, and2.The code that protects these paths (including resource connection and authentication, authorization, activity logging, data validation and encoding), and3.All valuable data used in the application, including secrets and keys, intellectual property, critical business data, personal data and PII, and4.The code that protects these data (including encryption and checksums, access auditing, and data integrity and operational security controls).The security implications of having a variety of client platforms are: 1. Violation of a security policy by a user2. Disgruntled employee sabotage3. Download of non-business video using the Internet to an employer-owned computer 4. Malware infection of a user’s laptop5. Unauthorized physical access to the LAN6. LAN server operating system vulnerabilities7. WAN Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks 8. WAN eavesdropping9. Errors and weaknesses of network router, firewall, and network appliance configuration file. The basic strategies of