IT Shops have trouble doing the basics well

  • 30% of all break-ins come through systems not in inventory, 30% of servers are doing nothing useful,
  • Getting systems hardened is difficult
  • 70% of people who get into compliance with PCI-DSS aren’t in compliance a year later
  • Remediation of known serious patches happens slowly if at all
  • 90% of all sites have suffered from outages of services which aren’t monitored
  • Keeping a suite of helpful tools correctly configured over time is time-consuming and expensive.

Then of course, there’s the problem of demonstrating to upper management that you’re actually making progress against a formidable task. These are the problems the OWASP Assimilation project addresses.

It compares security configuration against best practices, keeps network-facing checksums up to date, provides attack surface visualization, alerts on events, and improves availability through monitoring systems and services. It does all these things with near-zero configuration.

This talk gave an overview of the project and included a live demo.

About the OWASP Assimilation Project

The open source Assimilation Project has recently affiliated itself with OWASP to reflect its growing emphasis on security. So the OWASP Assimilation project is the same exact project and code as it’s always been – with a new affiliation and an extra word in the name ;-).

If you’re going to be in Las Vegas and are interested in security from an operational perspective, I highly recommend that you come learn more about the OWASP Assimilation project. The issues we address are important and broad, the technology is unique and really cool, and people have fun at my talks

I gave a talk and demo at the 2016 Salt Lake City DevOps Days conference about “Security Automation in a DevOps World”. Just for fun, my laptop ran out of power about 2/3 of the way into the talk. A few good people managed to bring power to the podium and grab my power brick so I could finish the demo. Although a little was missed due to the power outage, all in all it went well.

Cybersecurity is in the news almost every day. It’s not just getting the attention of the technical folks in the trenches, it’s getting attention in the boardroom. It’s also an area that the DevOps culture hasn’t spent as much attention on as we have on testing and deployment automation. This talk is about how to make things better and keep them there – showing you how to get started in 15 minutes.

Making your systems more secure is a daunting task – the average system has something like 100 ways it’s out of step with hardening best practices. If you have 1000 systems, that means you have something like 100,000 problems – it’s overwhelming! There’s also understanding your attack surface (the ways an intruder can enter your systems) – how to understand and minimize it. The talk covered these things:

  • How to know what you need to do to harden your systems
  • How to triage, manage and track the hardening process – and show your boss what great progress you’re making
  • How to keep your systems hardened after you get there
  • How to visualize and understand your attack surface

Alan Robertson gave a talk and live demo at NCAR on the Assimilation System Management Suite. The demo (starting at 50:46) was notable because it was the first time during a live demo that we were plugged into a type of switch we’d never seen before. What was cool was that it all worked exactly like it was supposed to.

In July 2015, Alan Robertson gave a 45 minute talk on the IT Best Practices Project at OSCON. This gave an overview of both the ITBP project and how software (such as the Assimilation Project) can use this information to help people keep their systems secure.

Our founder gave a 45 minute overview of the IT Best Practices project and how that information can be used by software packages including the Assimilation Project.

On 6 January 2014, Alan Robertson gave a 15 minute talk on the CMDB aspect of the Assimilation Project at the SysAdmin miniconf at the 2014 Linux.Conf.Au conference in Perth, Australia. Slides from this talk are available on SpeakerDeck. Although we do a lot more things since that talk, the fundamentals of the CMDB are the same as they’ve ever been.