Processor ® Free Subscription
Used HP, Used IBM, Used Compaq, Used Cisco, Used Sun
Home |  Register |  Contact Us   
This Week's Issue
Browse All Issues
Search All Articles
Product News & Information
News & Information
General Feature Articles

Tech & Trends Email This
Print This
View My Personal Library

General Information Add To My Personal Library
August 27, 2004 • Vol.26 Issue 35
Page(s) 22 in print issue

Intruder Alerts
Open Source Vulnerability Database: An Open-Source Approach To Vulnerability Reporting

The Open Source Vulnerability Database offers a single repository for information on both proprietary and open-source software products.

Any system administrator or IT manager who ignores vulnerabilities in his network and software infrastructure is likely to wake up one day to a nasty surprise. With hordes of unscrupulous bad guys itching to take over unprotected systems or raid them for sensitive data, it can be a full-time job to keep up with all the holes in your OSes.

As digital infrastructure has become a more critical part of the U.S. economy, organizations such as CERT have stepped up to provide a clearinghouse for information on exploits and viruses. But one group of security gurus has taken a less centralized approach to the problem, one more in line with the open-source software model.

The Open Source Vulnerabilities Database depends on the power of the masses to garner their information. Started in 2002 by Rain Forest Puppy (a well-known computer security expert who is protective of his privacy) and HD Moore, it has grown into a fairly definitive compendium of what malicious things can be done to computer software, both open-source and proprietary.

Many Sources, One Resource

The reports come from a variety of sources, according to chief moderator and current project lead Jake Kouns. "It could be a vendor contacting us. It could be something that we find from other security resources. It could be just an independent researcher contacting us. There are a lot of entry points providing this information. And a lot of people feel very strong about ensuring that there is accurate security information and we just provide the centralized place for a multiple of these avenues to contact us and give us information."

One area of controversy in the security industry is whether to report vulnerabilities immediately or give the vendor time to patch the problem first. According to Kouns, the OSVDB takes a compromise approach. "What we see in the industry is that a lot of security professionals call for full disclosure, immediate announcement to everyone in the world that there is a vulnerability. Vendors, on the other hand, tend to take the stance that no one should know; if more people know, then that's a bad thing for the state of security. OSVDB takes a very middle-of-the-road stance that we feel that vendors should have a chance to be contacted, but it should be a reasonable amount of time, not six or nine months later, they will acknowledge it."

Kouns sees the OSVDB as complementary rather than redundant to other organizations such as CERT. "There is no competition that I view. They are all sources; anytime I can find a reference from them, we include them into our database, no question about it. If you look at other sources, they are very picky about who they reference. There are limitations on their use or links they'll provide at their site. That's not the case at OSVDB; we put everything we can put in there."

Tool Integration

The OSVDB is also working to include the data they collect in open-source security monitoring tools such as Snort. By correlating their data with the checks made by the software, they can improve the tools by adding high-risk vulnerabilities to the monitors.

Kouns is quick to point out that the OSVDB is very much a group effort, with fellow volunteers Chris Sullo, Forrest Rae, and Brian Martin providing the rest of the core horsepower that keeps the site running. In addition, a host of 50 to 75 "datamanglers" provide the updates that keep the site up-to-date.

by James Turner

Share This Article: Intruder Alerts     digg: Intruder Alerts     reddit: Intruder Alerts


Home     Copyright & Legal Notice     Privacy Policy     Site Map     Contact Us

Search results delivered by the Troika® system.

Copyright © by Sandhills Publishing Company 2014. All rights reserved.