AS-301f · Module 2

Third-Party Surface Assessment

3 min read

Your attack surface extends beyond the components you control. Every third-party API, model provider, SaaS integration, and cloud service is part of your surface — you inherit their vulnerabilities. A compromise of your model provider's API exposes every system that calls that API. A breach of your cloud provider's key management system compromises every secret stored there. Third-party surface assessment evaluates the security posture of your dependencies.

Do This

Assess the security posture of every third-party integration before deploying it — not after the incident
Monitor third-party security disclosures and apply them to your surface map — their vulnerability is your vulnerability
Maintain fallback options for critical dependencies — if your model provider has an outage or breach, can you switch to an alternative?

Avoid This

Assume third-party services are inherently secure because they are large companies — size does not prevent breaches
Ignore vendor security certifications as irrelevant — they are not sufficient, but they are a useful baseline
Create single-vendor dependencies without contingency plans — single points of failure are single points of compromise