OWASP Assimilation Project

Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. The point of a document like this are the answers. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'

How can I participate in your project?

All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

If I am not a programmer can I participate in your project?

Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. See the Road Map and Getting Involved tab for more details.

Contributors

The OWASP Assimilation Project is developed by a worldwide team of volunteers.

The first contributors to the project were:

• Alan Robertson
• Carrie Oswald
• Dave Quigley
• Roger Massey

Roadmap

Future plans include:

• Expanding the best practices we cover
• Making it easy to see which machines are in need of security patches - take that into account with the security scores.
• Taking better advantage of checksums - take that into account with security scores.
• Many more discovery agents. These turn out to be typically pretty simple, and can be written with very little knowledge of the project internals. They have a very shallow learning curve to get started.

There is also a page that describes the future thinking as of August 2016 on our latest roadmap blog post.

There are a variety of roadmap-related artifacts on the project's Trello boards. You can find them here:

• feature board
• Issue/bug/feature board

You should also consider contributing to our sister project the IT Best Practices project - since that's where the best practices we implement are defined.

You can also read more about the project's "current thinking" in our mailing list archives.

Getting Involved

Involvement in the development and promotion of Assimilation Project is actively encouraged! You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:

Coding

The software is intended to be able to run on any POSIX system and Microsoft Windows. Currently it runs on at least a dozen different Linux versions. We are actively seeking people to do ports to other systems - particularly Windows.

The project has a contributor agreement for things that go into source control.

So far, the code is written in the following languages:

• C - core nanoprobe code and communications libraries
• Python - CMA code and a few utilities
• POSIX shell - scripts to do discovery and monitoring
• C# - one Windows discovery agent - should be rewritten in PowerShell
• PowerShell - future Windows discovery agents

Localization

There is significant opportunity for localization in our sister IT BestPractices project, and some in our canned queries. All strings in the project are UTF-8.

Testing

We have need both for human testers - people to do trials and provide feedback, and people to enhance our automated testing environment. Most of the automated testing is in Python, with some in the shell, and C. We have a unique and powerful system-level testing methodology which was described on our blog. The source code for these system-level tests can be found in this directory on GitHub.

Building and Related Topics

We need help getting properly signed RPM and .deb repositories set up for the various versions of Linux we have set up. We have some basic continuous integration set up, and a good set of build procedures for 64-bit versions of Linux. But things could always be better and release production more automated.

Feedback

• What do like?
• What don't you like?
• What features would you like to see prioritized on the roadmap?

The OWASP Assimilation Project needs to have the following capabilities in order to be considered minimally viable:

• Discovery of IP and MAC addresses through ARP
• Discovery of services offered on each system including IP:port combinations and binaries and arguments for the services
• Discovery of packages and package versions installed on the system (OS, pip, GEMs, NPM, etc).
• Discovery of checksums of network-facing binaries (discovered by services above)
• Discovery of security-related settings
• Comparision of security-related settings against best practices from the IT Best Practices project
• A dozen or more database queries to retrieve the information above
• Event API so that notifications can be performed as things change or are added in the system

The project has had all these capabilities since 2015.

Projects/OWASP Assimilation Project About Page