Open Source Vulnerability Database Goes Live 142
Alascom writes "The Open Source Vulnerability Database project has finally gone live. The project aims to provide comprehensive, free and unbiased (no vendor spin) vulnerability information. The database is being incorporated into such fine open source utilities as SNORT and NESSUS."
Running on PostgreSQL, too... (Score:5, Interesting)
<shameless>
Hey OSVBD folks, here's a little utility to do do some PostgreSQL query analysis [rubyforge.org]!
</shameless>
Re:Running on PostgreSQL, too... (Score:2, Funny)
"OSVD is the acronym, don't try to play it off. Would have been an excellent story to run yesterday.
Re:Running on PostgreSQL, too... (Score:1, Funny)
Argh...
s/VB/V/g
Re:Running on PostgreSQL, too... (Score:2, Funny)
www.linuxsecurity.com (Score:2)
Re:www.linuxsecurity.com (Score:3, Informative)
To be a proper challenge to Security Focus: (Score:1, Interesting)
2) Publish security papers a la SANS Reading room
and SF Infocus.
If they can do that and the open source community would start using these, then SF and SANS would
have some competition.
Re:Running on PostgreSQL, too... (Score:2)
Naming is important (Score:5, Interesting)
The name implied to me that it is only vulnerabilities in Open Source programs/systems that will be tracked, but reading the FAQ it seems to be that the database itself is open-source, and the database covers all systems. I think they could have named it better.
Simon
Re:Naming is important (Score:3, Funny)
Re:Naming is important (Score:3, Funny)
Old news (Score:4, Informative)
Re:Old news (Score:5, Insightful)
There's two conflicting maxims when it comes to updating systems:
'Always apply the latest updates' and 'If it ain't broke, don't fix it'.
Given that many people are both lazy and ignorant, they like to assume that if it appears to be working, it is, and thus they don't have to update/fix it. I imagine there's a lot of sendmail systems out there unpatched since before 2002. Old news, in terms of serious vulnerabilities, is therefore still highly relevant, since it provides a quick way of pointing and saying: 'Look, it is broken, fix it you lazy muppet'. :-)
Having said that, those are just the 'most recent entries' on the frontpage in relation to date of entry to the database. I think that's useful to have there so you know what's been added since a previous check.
Re:Old news (Score:2, Interesting)
Re:Old news (Score:2)
'Always apply the latest updates' and 'If it ain't broke, don't fix it'.
The latter maxim also applies to whoever is producing the "update". Espcially if the software in question isn't written in a well structured way. With "sphagetti code" attempting to remove a bug or add a new feature can have all sorts of unwanted effects.
Re:Old news (Score:5, Informative)
Re:Old news (Score:2)
Re:Old news (Score:2)
Re:Old news (Score:2)
Any software which will accept
Re:Old news (Score:2, Informative)
Check out the FAQ for more information. [osvdb.org]
securityfocus (Score:2, Interesting)
Not really. (Score:4, Informative)
They forgot one. . . (Score:5, Funny)
Mmmmm.... (Score:4, Interesting)
Gotta love technology when it helps get the full-truth out there.
Re:Mmmmm.... (Score:2, Insightful)
Spin is everywhere where there is subjectivity.
Re:Mmmmm.... (Score:2)
If this thing becomes popular you don't think that every profit or non-profit group will use it to enforce their own narrow point of view?
Re:Mmmmm.... (Score:2)
By the way, want to buy some swampland in Florida?
Re:Mmmmm.... (Score:1)
Re:Mmmmm.... (Score:2)
Can hear MS from here (Score:4, Interesting)
How long will it take till they say that?
Re:Can hear MS from here (Score:3, Funny)
Re:Can hear MS from here (Score:2)
Re:Can hear MS from here (Score:1)
Re:Can hear MS from here (Score:5, Funny)
It's called the Microsoft Knowledge Base [microsoft.com]
Yes, that's a joke
Re:Can hear MS from here (Score:3, Interesting)
Re:Can hear MS from here (Score:2, Informative)
Re:Can hear MS from here (Score:2)
I mean, when was the last time we heard a debate amongst the Iranian leaders, the likes of what we see on C-SPAN? Does that mean their system is less volitile than our republic?
Full disclosure is vital to the security of open systems.
Re:Can hear MS from here (Score:2)
Google for Microsoft Vulnerability" [google.com] yields 4,900 hits.
Google for "Linux Vulnerability" [google.com] yields 2,470 hits.
But, if you search another way...
Google for "Microsoft Exploit" [google.com] yields 993 hits,
Google for "Linux exploit" [google.com] yields 1880 hits.
So, it's all in the reporting. I mean, you know and I know that it's not suprising that there might be more hits for linux, cause the linux community tends to shout it loud that there are exploits, and that they're either fixed or being fixed, bu
Re:Can hear MS from here (Score:2, Informative)
You are comparing a company to Linux. Compare platform to platform instead.
Re:Can hear MS from here (Score:2, Interesting)
Re:Can hear MS from here (Score:2)
Like the ad that I saw at the ^^ top of slashdot that says "Microsoft windows server 11-22% cheaper in 4 out of 5 operations". But, that's whatever they consider TCO, and possibly not taking into account things like uptimes and reliability, etc. Plus, what about the 5th? Is linux 600% cheaper?
This is just one of those places that people can get their fuel to fan the fire.
Re:Can hear MS from here (Score:2)
Whoa, even I didn't expect that...
Re:Can hear MS from here (Score:2)
These numbers don't actually indicate the number of actual exploits...
So, it's all in the reporting. I mean, you know and I know that it's not suprising that there might be more hits for linux, cause the linux community tends to shout it loud that there are exploits, and that they're either fixed or being fixed,
The figures could mean that Windows and Linux have similar numbers
Re:Can hear MS from here (Score:3, Informative)
For instance do a search on Mozilla. They are issuing reports on vulnerabilities in 1.6. That represents a very big hole in Mozilla's normally security model, which relies on keeping all the vulnerability they have a secret for 2 minor versions. If this site starts making public the almost monthly arbitrary code execution vulnerabilities in Mozilla, while a lot
This is certainly a good thing. (Score:4, Insightful)
So don't flame over this... it will help make open source software more secure!Oh, right, and if you might think to the contrary, that people not knowing about vulnerabilities is the best way to go for security, you clearly need to do more research on the way open source software works, and why it is so effective.
Re:This is certainly a good thing. (Score:1)
All this extra exposure does is make more work for admins - yes, keeping on top of security updates is very important, but the current methodologies don't scale very well.
Re:This is certainly a good thing. (Score:1)
Re:This is certainly a good thing. (Score:2)
s/save/create/
Re:This is certainly a good thing. (Score:2)
Good stuff (Score:1)
Cool! (Score:4, Interesting)
Re:Cool! (Score:1)
Slashdotted? (Score:5, Informative)
Re:Slashdotted? (Score:2)
Oh, yeah, this'll be *real* useful (Score:3, Funny)
Re:Oh, yeah, this'll be *real* useful (Score:5, Funny)
Re:Oh, yeah, this'll be *real* useful (Score:4, Interesting)
Why would the data become obsolete after 8 hours? Not everyone runs out and installs the latest version of something for the hell of it you know.
Re:Oh, yeah, this'll be *real* useful (Score:1, Interesting)
With OSS, the monetary cost is often "free" -- which makes it ever so tempting to upgrade. The big exception here would be your production systems.
Comment removed (Score:5, Insightful)
Re:Oh, yeah, this'll be *real* useful (Score:5, Insightful)
Seems like they could fill a niche need here by allowing people to report vulnerabilities, but not automatically posting them until a set time after the report date. Then having it automatically notify the vendor of the vulnerability. The vendor could ignore it (in which case after a set interval the issue would go public) or fix it and let it go public sooner.
Just a thought.
Re: (Score:2)
Disagree (Score:1, Insightful)
Re:Disagree (Score:5, Insightful)
Regardless of the amount of time passed, the general public, or hacker public, does not need to know how to exploit these bugs, only that they exist, and are being fixed, and where to get the newest version.
And what happens when it isn't being fixed? Vendors have shown time and time again that unless pressure is put upon them, security fixes have a very low priority. Full disclosure is the best method of increasing that priority.
You miss the point. (Score:5, Insightful)
Information can be abused, yes, but personally, I think it is better than ignorance.
Re:You miss the point. (Score:1)
Re:You miss the point. (Score:2)
The idea that you have to be kept ignorant for your own protection is so intellectually and morally bankrupt that it boggles my mind that people keep using it. Of course it's reasonable to noti
Re:You miss the point. (Score:2, Insightful)
Regardless of the amount of time passed, the general public, or hacker public, does not need to know how to exploit these bugs, only that they exist, and are being fixed, and where to get the newest version.
He wants you to know that there is a flaw in your "mission-critical and sensitive systems," he just doesn't want the explicit instructions about how to do it.
The public can take over the responsibility for patching only on Open Sou
Re:You miss the point. (Score:1)
It is a very valid point that 95%+ of end-users don't need to have exploit code to know that their software is vulnerable (and I am a member of that group, as I am no developer). The burning question is whether exploit code should be published period. As a matter of principle I think it should, and many would agree with me. Information wants to be free, and we all know there are drawbacks to an open information society.
In the end, it comes down to dev
Re:You miss the point. (Score:2)
So what you're describing is not only believing that a vulnerability exists on face value of the claim, but that this vulnerability has also been mitigated based on the face value of a release from the vendor. This ignores several issues.
First, people do occasionally lie. I like to think that's a rareity. However, it's hard to claim somethin
Re:You miss the point. (Score:2)
Yes. To a point. But if you go back over my post, you'll note that I present a couple other reasons.
Actually, I think after years of building up... Microsoft is now feeling the pressure.
Re:Disagree (Score:2)
That's how this whole, weird 'open source' thingy works.
Cheers
Those poor moderators! (Score:2, Informative)
I wish you much success on completing your vulnerability update/addition modules so that your moderators' inboxes can have some breathing room!
With Retina [eeye.com] at $995 for 16 IP's, this additional gunpower for OSS will really keep the commercial vendors on their toes.
Maybe this will create a better turn-around time for M$'s "Security Initiative" too... Oh, wait, it's 4/2!
Open Source Vulnerability Database Goes Live... (Score:3, Funny)
Slashdot - bringing you customizable DDoS attacks for years to come.
Professionalism (Score:4, Insightful)
It's alright (Score:3, Insightful)
Charts (Score:2, Funny)
already been done (Score:5, Informative)
the MITRE Common Vulerability and Exposures DB
http://www.cve.mitre.org/
Re:already been done (Score:5, Interesting)
You would be better off to compare the OSVDB against the ICAT metabase [nist.gov]
The ICAT has some serious shortcomings which makes my work a big PAIN! (try to cross reference a specific vulnerability that matches 10 vulnerabilities).
OSVDB appears to better personify the open source paradigm in general, as such, I'd like to extend a warm welcome.
We expect great things from you.
Finally == Security Focus BIASED as hell (Score:4, Interesting)
Checklist (Score:1, Interesting)
Re:Checklist (Score:1)
Don't go to CI$ - they are basically repackaging DISA/NSA guidance, then charging for it!
A good idea (Score:1, Interesting)
Re:A good idea (Score:2)
New update to nessus please (Score:1, Funny)
Vulnerability to Slashdotting DDoS: High.
Well... I guess they just got their first bug (Score:1)
oval.mitre.org (Score:2, Informative)
In addition to listing WHAT the vulnerability is,
it tries to define standardized methods for determining
HOW to test for it.
What makes this database "open source" ? (Score:5, Insightful)
Calling something "open source" doesn't make it open or free (as in freedom). There are three issues of concern here.
First, the licensing terms [osvdb.org] Why didn't they license the OSVDB database under a free license, whether it be GPL, GFDL, or even the BSD license? If OSVDB and its sponsors (including primarily Digital Defense, Inc. [digitaldefense.net], a privately held computer security firm) retain complete ownership of the content, and nobody has the right to fork the database or create derivative works, I can't see why it's being spun as "open source".
Second, I was concerned when I read the OSVDB's statement of intent to comply with the DMCA. A non-free (read: non-forkable) database based in the United States might not be the best idea. One DMCA injunction could shut it down. Since, from my reading of the terms and conditions, nobody has the right to duplicate or fork this database, the work could not continue outside the US if a DMCA injunction shut it down.
Third, the issue of neutrality and bias. I don't believe that a non-free database sponsored by a private security consulting firm based in the United States will be able to remain neutral for long. Private companies are under no obligations to disclose their partnerships or agreements with vendors.
You know, there are non-trivial, free (GFDL) databases [wikipedia.org] out there...the precedent exists for high quality, truly FREE content. I hope OSVDB considers licensing the content under the GFDL or BSD license.
Re:What makes this database "open source" ? (Score:2)
Re:What makes this database "open source" ? (Score:2)
We looked at dozens of OSI licenses and failed to find one which met all of the requirements. The fork-ability and lack of credit requirements are biting many OSS security projects in the ass right now...
If you don't want to open source the database, that's your prerogative. But you should not have called your project the Open Source Vulnerability Database! That's my whole point.
Canned Quote (Score:1)
"This agreement will be of significant benefit to both Sun and Microsoft customers. It will stimulate new products, delivering great new choices for customers who want to combine server products from multiple vendors and achieve seamless computing in a heterogeneous computing environment. We look forward to this opportunity - it provides a framework for cooperation between Sun and Micro
Easy livin' (Score:5, Insightful)
The local DB gets queried by the client for installed inventory, queries the remote server. Vulnerable SW is tagged with advisory instructions, including patch URLs, confirmation URLs, and "help me" URLs, as well as the URL of the Internet site with that support and more (discussions, etc). The client sends a notification email to the sysadmin, optionally including clickable HTML to install the patch packages (which are, of course, registered with the local DB). Confirmation reports are easily entered in the HTML interface, pointing at the client, which first posts them to the local DB cache for later analyis, then posts them to the remote OSVDB. Requests for help are passed to tech support, based on a policy config'ed when the client is installed: existing support contracts, filtered marketplace pool, goverment/industry referral service.
This infrastructure is the natural evolution of the global infosystem. It mirrors the evolution of the cell: we've got a cell (fire)wall already, and the nucleus (sysadmin server) is now growing a membrane (security infrastructure), with tRNA codes (patches) keeping homeostasis (uptime). As the organism (network) is sickened (exploited) by viruses (viruses) and genetic defects (bugs), vaccines (patches) and therapies (upgrades) keep the organism healthy, and reduce the risk of epidemic infection (every few days on the Internet). Once organisms got an immune system, and communities that worked with it, we took over the world from the volcanoes, eventually freeing our brains for human endeavors (gaming, surfing porn, online dating). If developers bundle the straightforward complexity in simple automated tools, the infosystem's health will become as implicit as our own.
Re:Easy livin' (Score:2)
No 'sort by date'? (Score:2)
This wont last long (Score:2)
Not very complete. (Score:1)
Interesting project, but it has some problems... (Score:1)
1) They don't provide an easy way fo downloading the database. You have to accept their license to download it before getting the real thing. ICAT and CVE Mitre don't put such restrictions to use their databases.
2) The database schema is made for PostgreSQL: This is cool and all, but I don't wanna be tied or tie my tool with a particular database; What if I want to use MySQL or Sybase or Oracle or MSSQLServer?. They should allow y
Re:Interesting project, but it has some problems.. (Score:1)
2. The ICAT Metabase is seriously flawed, even more so than the CVE.
3. The Schema may be for PostgreSQL, but the contents should be ANSI SQL compliant. Gee, so hard?
4. Are you even familiar with the CVE or ICAT? I think not.
Vulnerability? (Score:1)
Or, more likely, how long 'til they publish a vulnerability that they have failed to protect against?
Re:Can't handle load (Score:2)
Re:IT Koan (Score:1, Offtopic)