Open Attack Surface Management – Oasm.dev

1•l1ttps•2w ago

Open-source platform for cybersecurity Attack Surface Management. Built to help security teams identify, monitor, and manage external assets and potential security exposures across their digital infrastructure.

https://github.com/oasm-platform/open-asm

Comments

csp_dev•2w ago

Congrats on the launch. Open-source ASM is desperately needed.

Looking at this, I'm thinking about the evolution of the external attack surface. It's not just about finding assets anymore, but understanding their security posture in depth with minimal intrusion.

This connects to work I'm doing on "zero-knowledge" security protocols. Imagine your platform discovers a web app, and a next-generation, privacy-aware scanner could then check for credential exposure (using a protocol that doesn't expose the creds) or misconfigurations without collecting sensitive payloads.

A technical question/thought: For asset discovery and fingerprinting at scale, how do you handle the privacy/data minimization aspect? For instance, when your scanner encounters a login page, is there a consideration for what signals are collected and stored? As we build more autonomous security scanners (and later, AI agents), baking in privacy-by-design from the start seems critical.

Tools like Open-ASM that map the territory will be the foundation for a new wave of respectful, efficient security testing. Excited to see this.

l1ttps•2w ago

In practice, we aim to identify as many real risks as possible across the external attack surface, since expanding visibility is what most improves an administrator’s understanding of their system. From our perspective, broad and accurate risk discovery is a prerequisite for effective security management, and it should be balanced with intentional choices around how deeply we inspect and what data we persist.

csp_dev•2w ago

Fully agree that broad, accurate discovery is the crucial first step. My point is about how we achieve the depth. The goal is deeper inspection through privacy-aware protocols like a scanner proving a login page is vulnerable without ever seeing credentials—so administrators get comprehensive risk understanding without the data liability.

FOSDEM 26 – My Hallway Track Takeaways

Show HN: Env-shelf – Open-source desktop app to manage .env files

Show HN: Almostnode – Run Node.js, Next.js, and Express in the Browser

Dell support (and hardware) is so bad, I almost sued them

Project Pterodactyl: Incremental Architecture

Styling: Search-Text and Other Highlight-Y Pseudo-Elements

Crypto firm accidentally sends $40B in Bitcoin to users

Magnetic fields can change carbon diffusion in steel

Fantasy football that celebrates great games

Show HN: Animalese

StrongDM's AI team build serious software without even looking at the code

John Haugeland on the failure of micro-worlds

Show HN: Velocity - Free/Cheaper Linear Clone but with MCP for agents

Corning Invented a New Fiber-Optic Cable for AI and Landed a $6B Meta Deal [video]

Show HN: XAPIs.dev – Twitter API Alternative at 90% Lower Cost

Near-Instantly Aborting the Worst Pain Imaginable with Psychedelics

Show HN: Nginx-defender – realtime abuse blocking for Nginx

The Super Sharp Blade

Smart Homes Are Terrible

What I haven't figured out

KPMG pressed its auditor to pass on AI cost savings

Open-source Claude skill that optimizes Hinge profiles. Pretty well.

First Proof

I squeezed a BERT sentiment analyzer into 1GB RAM on a $5 VPS

Kagi Translate

Building Interactive C/C++ workflows in Jupyter through Clang-REPL [video]

Tactical tornado is the new default

Full-Circle Test-Driven Firmware Development with OpenClaw

Automating Myself Out of My Job – Part 2

Dependency Resolution Methods