All issues identified by the Attack Surface Analyzer (ASA) tool must be fixed #15246
Description
Requirement:
Use Attack Surface Analyzer (ASA) to validate that installers or other high-privilege programs do not weaken the security configuration of the operating system.
Additional information is available in the guidance documentation here: All issues identified by the Attack Surface Analyzer (ASA) tool must be fixed
Refer https://github.com/microsoft/AttackSurfaceAnalyzer and add workflow to automate and run in every PR
https://github.com/microsoft/AttackSurfaceAnalyzer/wiki/CLI-Walkthrough
🛡️ SDL Compliance: Integrate Attack Surface Analyzer (ASA) into CI
🎯 Goal
Add Microsoft Attack Surface Analyzer (ASA) to the React Native Windows CI pipeline so it automatically checks every Pull Request for security regressions.
This helps meet the Secure Development Lifecycle (SDL) requirement:
Use Attack Surface Analyzer (ASA) to validate that installers or other high-privilege programs do not weaken the security configuration of the operating system.
All issues identified by ASA must be fixed or justified before merging.
When installing software on an operating system, elevated privileges are often required. Since the installer is usually running with 'Administrator' or 'root' privileges, it can easily change the security configuration of the operating system, leaving the operating system in a weakened state after the installation is complete. Attack Surface Analyzer (ASA) is a tool that can help determine the changes made to an operating system during software installation. ASA works by taking a "before" and "after" snapshot and comparing the two.
How to Demonstrate Compliance
Follow the activities as defined by your Security Team as identified in Service Tree.
Installing
dotnet Tool (Recommended):
With the latest .NET SDK Installed run: dotnet tool install -g Microsoft.CST.AttackSurfaceAnalyzer.CLI.
Platform specific binaries
Platform-specific bits are also available on the GitHub Releases tab.
Using Attack Surface Analyzer (ASA)
Attack Surface Analyzer can be run in CLI mode or with a browser-based GUI.
CLI (Recommended)
For usage instructions, run asa --help or asa --help for help with a specific command. More documentation is available on the Readme and Wiki on GitHub.
Guided Mode
Run asa guide with the collectors you want to use. For example, asa guide -cCdlFkpPrstuwm --exportsarif --outputpath myscan.sarif will guide you through a collection run for all file types except File, instead using Monitoring for File Change Tracking, and will output the results in a sarif file named myscan.sarif. Follow the directions provided for the appropriate time to run your application under test.
Manual Collection
Run asa collect with the collectors you want to use enabled. For example, asa collect -a to collect all available data types, using the current timestamp as Runid.
Run the application under examination.
Run asa collect again with the same arguments as in step 1 (other than Runid, if provided). If you know the Runid from the run in step 1, you can use asa collect --match-run-id to ensure you are using the same settings as the paired run. Run asa export-collect --outputsarif --outputpath myscan.sarif to export a sarif report comparing the last two collection runs.
Manual Collection with File Monitoring
If the workflow you are performing does not require rebooting the system, you can reduce collection time by excluding Files from your collect run and running a supplementary Monitor run for Files instead with asa monitor -F. This can reduce collection time, expecially on systems with many files.
Run asa collect with the collectors you want to use enabled.
Run asa monitor -F to start monitoring the FileSystem for changes.
Run the application under examination.
Stop the monitoring from step 2.
Run asa collect again with the same arguments as in step 1 (other than runid, if provided). If you know the runid from the run in 1, you can use asa collect --match-run-id to ensure you are using the same settings as the paired run.
Run asa export-collect --outputsarif --outputpath myscan.sarif to export a sarif report comparing the last two collection runs.
Run asa export-monitor --outputsarif --outputpath monitorresults.sarif --applysubobjectrulestomonitor to export a sarif for the monitoring results.
GUI
Run asa gui. A browser window should open automaticaly with the interface.
Guided Mode
Choose the Guided Mode to be guided through running two collection runs and running analysis.
Manual collection
Select Scan and perform a Collection run gathering the relevant data points you would like to collect.
Run the application under examination.
Run a second Collection run gathering the same set of data points as from step 1.
Select Analyze, and Start and Analysis of the two Collection runs from steps 1 and 3.
After analysis is complete, navigate to the Report tab to view the results.
Planning Considerations
If you have .NET Core installed, you can install Attack Surface Analyzer (ASA) by using:
dotnet tool install -g Microsoft.CST.AttackSurfaceAnalyzer.CLI
Using Attack Surface Analyzer (ASA)
For each major configuration of the software product:
Run Attack Surface Analyzer (ASA) against a clean baseline system BEFORE your product has been installed.
Install the application, appliance or service, enabling as many options as possible. Be sure to include options that you perceive may increase the attack surface of the machine.
Run the newly installed products or applications following typical user scenarios.
AFTER installing and running your products or applications, run Attack Surface Analyzer (ASA) again. These executions must be performed on the same machine. limited to:
Changes to the file system or registry (content or ACL changes)
Changes to user accounts (for example, privileges granted to low-privilege accounts)
Changes to system services
Changes to the local certificate store
Changes to the network configuration (for example, listening ports) Review the report that Attack Surface Analyzer (ASA) generates to ensure that the software product has not weaknened the security configuration of the operating system, and has not performed changes which are unexpected. Run Attack Surface Analyzer (ASA) on all versions of Windows, Linux, or MacOS that your product supports.
Understanding Attack Surface Analyzer (ASA) results
Reducing the system attack surface makes it more difficult for an external attacker to break into the system and for local users to elevate their
References / Resources
Attack Surface Analyzer (ASA)