19 comments

[ 3.2 ms ] story [ 56.8 ms ] thread
How does this compare to security baselines with say inspec?
I've not used inspec but since I intercept a lot of security related concerns/complaints from my client base, I decided to try this out with my company's product.

Honestly, I'm not impressed, as it's about as it's just a straight up diff of some collected metrics from different snapshots with no real context or even mapping of events it diffs to the application/user/process responsible, and the discoverability of what actually changed isn't great.

The reports simply show as HTML text lists (all in red strangely, which I don't like), and unless I'm mistaken, there's no interactivity with them. I suppose it's a nice before and after, but it feels very limited in the information it offers, and I honestly don't like the UI presentation at all. Similarly, the documentation references UI elements that don't exist (for example, it mentions a Results item on the main menu that is not present, and I believe they mean Analyze).

Edit: added to last paragraph since I hit submit too soon.

Interesting, anything you would recommend then?
Recommend for OS diffing, or OS config vuln scanning?

Former, no idea, the latter is fine with any major COTS product that does vuln scanning (Nessus/Rapid7/whatever) they're all pretty decent for doing an authenticated scan of a host's local config.

I was hoping there would be some interesting new development, but I guess nothing really changed huh? Dell enterprise security will print out a big Nessus report for a lot of money for a normal audit.
Have you tried cis-cat? I think it was designed explicitly for that, to scan for local OS vulnerabilities.
"OS" is not specified. Page mentions "COM objects" which suggests OS is Windows.
(comment deleted)
“Attack Surface Analyzer (ASA) is a Microsoft-developed Security tool that analyzes the attack surface of a Windows, Linux or MacOS system and reports on system changes that may have potential security implications that are introduced by the installation of software or by system misconfiguration.“

https://github.com/Microsoft/AttackSurfaceAnalyzer/wiki

ONE MANTRA OF WISDOM ALWAYS TRUE:

Security and closed source OS do not live in the same house.

So this is like Microsoft's take on OpenSCAP but targeted at Windows?
Will this alert you if your OS is phoning home with telemetry? /s
if it alerts/blocks apps from phoning home....
It's notable that if you run this tool on a computer that has onedrive set up, it will start downloading cloud-hosted onedrive files during the filesystem scan phase.
Definitely beta.

I installed using dotnet tool install -g --version 2.3.141-beta-g9aa8b4e9b5 Microsoft.CST.AttackSurfaceAnalyzer.CLI

None of the CSS components load when launch with asa gui.

This one needs to bake a few more months.

It's many many years old.

edit: Oh, so this is a new, open version of the 2012 system. So perhaps not.

To use the "Attack Surface Analyzer", you need to install software that significantly alters your attack surface.
I tried this on Ubuntu. It hung when scanning /run. After I disabled the filesystem scan, it crashed when I ran it.