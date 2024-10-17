When thinking about how to get into a well-defended fortress, no intelligent attacker would walk right up to the front door and try to knock it down. This wouldn’t be their sole attack strategy. Instead, they would try to find the weak points in the defenses.

Web security is no different. This is especially true in the world of cloud computing, as today’s organizations are leveraging cloud portability for flexibility and easy scaling. For example, with Linode, you can spin up a new instance of an application with the simple click of a button.

However, the conveniences of cloud computing need to be accompanied by secure practices. Rather than adding functionality to the main application, which has all of the strong security around it, some engineering sub-teams might find it easier to build a new application and deploy it to a subdomain. Sure, these sub-teams aren’t trying to expose their organization to an attack. However, by expanding their organization’s web footprint with new applications and subdomains, they’re increasing the attack surface and making it more challenging to secure the entire environment.

Keep in mind also that non-production application instances on subdomains probably need to communicate with the main application or at least with its datastore. This is where an attacker can find a path from a less secure system into a more secure system.