IT Shops have trouble doing the basics well
- 30% of all break-ins come through systems not in inventory, 30% of servers are doing nothing useful,
- Getting systems hardened is difficult
- 70% of people who get into compliance with PCI-DSS aren’t in compliance a year later
- Remediation of known serious patches happens slowly if at all
- 90% of all sites have suffered from outages of services which aren’t monitored
- Keeping a suite of helpful tools correctly configured over time is time-consuming and expensive.
Then of course, there’s the problem of demonstrating to upper management that you’re actually making progress against a formidable task. These are the problems the OWASP Assimilation project addresses.
It compares security configuration against best practices, keeps network-facing checksums up to date, provides attack surface visualization, alerts on events, and improves availability through monitoring systems and services. It does all these things with near-zero configuration.
This talk gave an overview of the project and included a live demo.
About the OWASP Assimilation Project
The open source Assimilation Project has recently affiliated itself with OWASP to reflect its growing emphasis on security. So the OWASP Assimilation project is the same exact project and code as it’s always been – with a new affiliation and an extra word in the name ;-).
If you’re going to be in Las Vegas and are interested in security from an operational perspective, I highly recommend that you come learn more about the OWASP Assimilation project. The issues we address are important and broad, the technology is unique and really cool, and people have fun at my talks