[ISN] Volunteer Security Pros Launch Free Vulnerability Database

From: InfoSec News (isn@private)
Date: Tue Apr 06 2004 - 07:48:36 PDT

  • Next message: InfoSec News: "[ISN] Windows & .NET Magazine Security UPDATE--Patch Management Resources--April 7, 2004"

    http://www.eweek.com/article2/0,1759,1561608,00.asp
    
    By Dennis Fisher 
    April 2, 2004   
     
    A group of volunteer security professionals has compiled what is 
    likely one of the larger freely accessible vulnerability databases on 
    the Internet. The OSVDB (Open Source Vulnerability Database) is meant 
    to serve as a central collection point for information on any and all 
    security vulnerabilities. 
    
    Despite what you might assume from the name, the project's creators 
    are not just interested in collecting data on flaws in open-source 
    software. Instead, they're collecting information on vulnerabilities 
    from a wide variety of sources that they then distribute freely, under 
    an open-source license.
    
    The project, which went live on Wednesday, has been in the works since 
    2002. The team has spent most of its time since then gathering and 
    categorizing vulnerability data. Most of the records in the database 
    come from submissions to myriad security-related mailing lists. 
    
    OSVDB is run by a small group of security professionals who have 
    worked on the project on their own time. Jake Kouns, chief moderator 
    of the team, said the project so far has catalogued nearly 1,900 
    vulnerabilities, with another 2,700 or so submissions waiting to be 
    confirmed and edited. 
    
    Once a new vulnerability is found, one of more than two dozen 
    volunteer "data manglers" is assigned to confirm its veracity and get 
    the information in shape for inclusion in the database. The flaw is 
    then given a unique identifier and slated for database inclusion.
    
    Kouns said that the group is hoping to begin comparing its database 
    with other, similar stores, including the CVE (Common Vulnerabilities 
    and Exposures) project maintained by The Mitre Corp., so that it can 
    reference CVE numbers wherever they're applicable. The CVE project 
    assigns unique numbers to each new vulnerability and publishes a 
    one-line description of the problem.
    
    Currently, the OSVDB supports three open-source security products: the 
    Snort intrusion detection system, the Nessus network scanner and the 
    Nikto Web-server scanner.
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Tue Apr 06 2004 - 10:47:05 PDT