||Add To My Personal Library
August 27, 2004
Vol.26 Issue 35|
Page(s) 22 in print issue
Open Source Vulnerability Database: An Open-Source Approach To Vulnerability Reporting
The Open Source Vulnerability Database offers a single repository for information on both proprietary and open-source software products.
Any system administrator or IT manager who ignores vulnerabilities in his network and software infrastructure is likely to wake up one day to a nasty surprise. With hordes of unscrupulous bad guys itching to take over unprotected systems or raid them for sensitive data, it can be a full-time job to keep up with all the holes in your OSes.
As digital infrastructure has become a more critical part of the U.S. economy, organizations such as CERT have stepped up to provide a clearinghouse for information on exploits and viruses. But one group of security gurus has taken a less centralized approach to the problem, one more in line with the open-source software model.
The Open Source Vulnerabilities Database depends on the power of the masses to garner their information. Started in 2002 by Rain Forest Puppy (a well-known computer security expert who is protective of his privacy) and HD Moore, it has grown into a fairly definitive compendium of what malicious things can be done to computer software, both open-source and proprietary.
Many Sources, One Resource
The reports come from a variety of sources, according to chief moderator and current project lead Jake Kouns. "It could be a vendor contacting us. It could be something that we find from other security resources. It could be just an independent researcher contacting us. There are a lot of entry points providing this information. And a lot of people feel very strong about ensuring that there is accurate security information and we just provide the centralized place for a multiple of these avenues to contact us and give us information."
One area of controversy in the security industry is whether to report vulnerabilities immediately or give the vendor time to patch the problem first. According to Kouns, the OSVDB takes a compromise approach. "What we see in the industry is that a lot of security professionals call for full disclosure, immediate announcement to everyone in the world that there is a vulnerability. Vendors, on the other hand, tend to take the stance that no one should know; if more people know, then that's a bad thing for the state of security. OSVDB takes a very middle-of-the-road stance that we feel that vendors should have a chance to be contacted, but it should be a reasonable amount of time, not six or nine months later, they will acknowledge it."
Kouns sees the OSVDB as complementary rather than redundant to other organizations such as CERT. "There is no competition that I view. They are all sources; anytime I can find a reference from them, we include them into our database, no question about it. If you look at other sources, they are very picky about who they reference. There are limitations on their use or links they'll provide at their site. That's not the case at OSVDB; we put everything we can put in there."
The OSVDB is also working to include the data they collect in open-source security monitoring tools such as Snort. By correlating their data with the checks made by the software, they can improve the tools by adding high-risk vulnerabilities to the monitors.
Kouns is quick to point out that the OSVDB is very much a group effort, with fellow volunteers Chris Sullo, Forrest Rae, and Brian Martin providing the rest of the core horsepower that keeps the site running. In addition, a host of 50 to 75 "datamanglers" provide the updates that keep the site up-to-date.
by James Turner