I will update this list as new resources become available. If you have a resource you think I should add, please email me.
IT Shops have trouble doing the basics well
30% of all break-ins come through systems not in inventory, 30% of servers are doing nothing useful,
Getting systems hardened is difficult
70% of people who get into compliance with PCI-DSS aren’t in compliance a year later
Remediation of known serious patches happens slowly if at all
90% of all sites have suffered from outages of services which aren’t monitored
Keeping a suite of helpful tools correctly configured over time is time-consuming and expensive.
Then of course, there’s the problem of demonstrating to upper management that you’re actually making progress against a formidable task. These are the problems the OWASP Assimilation project addresses.
It compares security configuration against best practices, keeps network-facing checksums up to date, provides attack surface visualization, alerts on events, and improves availability through monitoring systems and services. It does all these things with near-zero configuration.
This talk gave an overview of the project and included a live demo.
About the OWASP Assimilation Project
The open source Assimilation Project has recently affiliated itself with OWASP to reflect its growing emphasis on security. So the OWASP Assimilation project is the same exact project and code as it’s always been – with a new affiliation and an extra word in the name ;-).
If you’re going to be in Las Vegas and are interested in security from an operational perspective, I highly recommend that you come learn more about the OWASP Assimilation project. The issues we address are important and broad, the technology is unique and really cool, and people have fun at my talks
I gave a talk and demo at the 2016 Salt Lake City DevOps Days conference about “Security Automation in a DevOps World”. Just for fun, my laptop ran out of power about 2/3 of the way into the talk. A few good people managed to bring power to the podium and grab my power brick so I could finish the demo. Although a little was missed due to the power outage, all in all it went well.
Cybersecurity is in the news almost every day. It’s not just getting the attention of the technical folks in the trenches, it’s getting attention in the boardroom. It’s also an area that the DevOps culture hasn’t spent as much attention on as we have on testing and deployment automation. This talk is about how to make things better and keep them there – showing you how to get started in 15 minutes.
Making your systems more secure is a daunting task – the average system has something like 100 ways it’s out of step with hardening best practices. If you have 1000 systems, that means you have something like 100,000 problems – it’s overwhelming! There’s also understanding your attack surface (the ways an intruder can enter your systems) – how to understand and minimize it. The talk covered these things:
How to know what you need to do to harden your systems
How to triage, manage and track the hardening process – and show your boss what great progress you’re making
How to keep your systems hardened after you get there
How to visualize and understand your attack surface
I gave a talk and a demo of the Assimilation Suite at the Open Source Monitoring Conference in Nürnberg, Germany on 17 November, 2015. This talk covers what the Assimilation software can do for you, along with a lot of detail about the technology, along with a really cool demo of the technology. The slides for this talk are also available.
Alan Robertson gave a talk and live demo at NCAR on the Assimilation System Management Suite. The demo (starting at 50:46) was notable because it was the first time during a live demo that we were plugged into a type of switch we’d never seen before. What was cool was that it all worked exactly like it was supposed to.
In July 2015, Alan Robertson gave a 45 minute talk on the IT Best Practices Project at OSCON. This gave an overview of both the ITBP project and how software (such as the Assimilation Project) can use this information to help people keep their systems secure.
Our founder gave a 45 minute overview of the IT Best Practices project and how that information can be used by software packages including the Assimilation Project.
A 12 minute interview with Assimilation Systems CTO Alan Robertson at linux.conf.au in January 2014 in Perth, Australia.
A 45 minute conference presentation on the Assimilation Project at the January 2014 linux.conf.au conference in Perth, Australia. There is a first-time-ever live demo in this presentation. A better version (without my mistakes) can be found elsewhere on the site.
On 6 January 2014, Alan Robertson gave a 15 minute talk on the CMDB aspect of the Assimilation Project at the SysAdmin miniconf at the 2014 Linux.Conf.Au conference in Perth, Australia. Slides from this talk are available on SpeakerDeck. Although we do a lot more things since that talk, the fundamentals of the CMDB are the same as they’ve ever been.
A 60-minute technical overview of the Assimilation software at the Open Source Monitoring Conference in Nürnberg Germany in the Fall of 2013.