New News Entry - Mailing list pgsql-www
| From | www@www.postgresql.com (World Wide Web Owner) |
|---|---|
| Subject | New News Entry |
| Date | |
| Msg-id | 20040331203814.02828CF527A@www.postgresql.com Whole thread Raw |
| Responses |
Re: New News Entry
|
| List | pgsql-www |
A new entry has been added to the news database. Database Admin: http://www.postgresql.org/admin/edit_news.php?174 Submitted by: tyler@scurn.net Headline: Open Source Vulnerability Database Goes Live Summary: The Open Source Vulnerability Database (OSVDB), a project to catalog and describe the Internet\'s security vulnerabilities,opened for public use on 31 March 2004. Story: The Open Source Vulnerability Database (OSVDB), a project to catalog and describe the Internet\'s security vulnerabilities,opened for public use on 31 March 2004. The OSVDB project was launched in 2002 following a realization in the security community that no independent, community-operatedvulnerability database existed. There were, and still are, numerous vulnerability databases. Some of thesedatabases are managed by private interests to meet their own requirements, while others contain a limited subset ofvulnerabilities or have significant restrictions on their content. None are simultaneously comprehensive, open for freeuse, and answerable to the community. The OSVDB\'s organizers set out to implement a vulnerability database that meetsall those requirements. The OSVDB project has been successful in fulfilling its original objectives. The project concentrated at first on establishinga core group of project organizers, on creating the technical infrastructure to collect and validate vulnerabilitydata, and on building a team of contributors to create the open-source vulnerability records. These goals havebeen met, and the OSVDB team is now planning its next stage of growth. After a significant period of development - ineffect, an \"alpha\" release - it has been opened to the public as of 31 March 2004 at http://www.osvdb.org/. A GROWING PROBLEM According to CERT\'s statistics, the number of computer security vulnerabilities found each year has risen over two thousandpercent since 1995. Tracking these vulnerabilities and their cures is critical for those who protect networked systemsagainst accidental misuse and deliberate attack, from home users and small businesses to globe-spanning enterprises. Annual vulnerability announcements number in the thousands, well beyond the capacity for human memory to manage. Well-organizeddatabases, with verified contents and flexible search abilities, are required if these vulnerabilities areto be controlled by the security community. The OSVDB provides the necessary structure, technology, and content to supportthat community requirement for vulnerability management. AN OPEN SOLUTION The OSVDB\'s main goal is to be complete and to be without bias. It should serve as one-stop shopping for all vulnerabilityneeds. Developers creating vulnerability-assessment tools, system administrators protecting servers and networks,business staff assessing risks and remedies, academic researchers documenting analyzing the past and future of networksecurity: all expend effort to identify vulnerabilities, all work to document them consistently, all can benefit froma single, comprehensive source of vulnerability data. The OSVDB is this source, reducing duplication of effort whileit promotes data consistency. The OSVDB is unbiased and neutral in its practices for accepting, reviewing, and publishing vulnerabilities. Its open acceptanceof community input and internal review processes ensure that the vulnerability database is not colored by vendor-relatedbiases. OSVDB organizers believe that more than one vulnerability database is needed to meet the full varietyof community requirements. While it references the other vulnerability databases, it develops its own database entriesto ensure that there are no restrictions on distribution and re-use of the OSVDB vulnerability data: its contentsare free of cost and free of restrictions on use. FUTURE DIRECTIONS Licensing Research and analysis of licensing alternatives for the OSVDB products and services are underway. The OSVDB project teamexpects to produce the final project license in the second quarter of 2004. In the meantime, a working-draft licenseis in force (see the OSVDB website at http://www.osvdb.org/license.php). Formal non-profit standing The OSVDB team is currently working to provide the required legal status by incorporating an organization under United Stateslaw. The organization, tentatively named the Open Security Foundation, will be a private not-for-profit foundation.Its mission is to make information-technology (IT) security information and services freely available to all whoneed it. The foundation\'s initial project will be the Open Source Vulnerability Database, but it will be capable of hostingadditional security projects and will actively seek out suitable ones. OSVDB ethical vulnerability disclosure The OSVDB\'s policy on the release of vulnerability information will incorporate clear guidelines on the timing of notificationto the product developer, and of notification to the open security community. The OSVDB\'s approach will supportan ethical and predictable process for this release. The policy is expected to be published in the second quarterof 2004. Recruitment An open-source project succeeds or fails based on the support of its volunteer participants. The long-term viability of theOSVDB project depends on continuous success in recruiting new participants, and in recognizing the contributions of thosewho work within the project. Programs and initiatives to publicize the OSVDB\'s work and to recruit new participantswill be pursued in the second quarter of 2004 and continuously after that. Expansion of the vulnerability database In its initial development phase, the OSVDB project created an online content-management system to add vulnerability recordsto the database. The system supports the initial research and creation of records, the review process, and incorporationof the finalized records into the public database. Throughout initial use and testing, the system has been improvedcontinuously to streamline the needed tasks and to make it easier to perform the research and cross-referencing neededto complete a vulnerability record. This focus on ease of use will help contributors work efficiently and will speedthe creation of vulnerability records, leading to the desired expansion of the vulnerability database. Advanced vulnerability retrieval The vulnerability database is currently available in its entirety from the OSVDB website. The OSVDB is developing tools tomake it easy to search the vulnerability database on-line so that straightforward queries are easy to make. For those requiringa higher degree of automation in querying and retrieving vulnerabilities, an XML-formatted version of the databasewill be developed so that automated processes can query it remotely. The OSVDB system will also prototype automatedposting of vulnerabilities through an RSS-like \"push\" mechanism. Subscribers will receiver each new vulnerabilityat the moment it is cleared into the database, and can choose to set customized filters to receive a subsetof those records as needed. These new features are intended to be put in place over the second and third quarters of2004. Active integration with vulnerability tools Tracking existing and new vulnerabilities is one of the toughest challenges for developers of security tools. OSVDB is workingto streamline the process of identifying and setting priorities for the vulnerabilities it provides to tool developerslike the Nessus, Snort, and Nikto projects. In brief, the OSVDB will assist vulnerability-tool developers to identifyvulnerabilities that are not already represented in their products, and will provide a way to identify the high-priorityvulnerabilities for immediate attention. CONCLUSION The OSVDB is relatively new in the arena of open-source projects. It was first conceived in the summer of 2002, and has alreadyput in place much of the organization, technology, and process needed to meet its initial goals. Continuing to buildon that foundation, however, will allow the OSVDB to become more useful and more central to the information-technologysecurity community. The upcoming year promises not just incremental improvements to the OSVDB, butalso innovations to the existing legal and organizational structure of the project, a focus on recruitment of projectparticipants, and technical advances to make the project even more valuable to the security community. The OSVDB onlinesystem can be found at www.OSVDB.org. Complete information on the OSVDB\'s aims and objectives can be found at: http://osvdb.org/documentation.php MORE INFORMATION Jacob (Jake) Kouns Open Source Vulnerability Database Project: jkouns@osvdb.org JOIN THE PROJECT The network needs YOU! Check out the project FAQs at http://www.osvdb.org/faq.php, then join using the form at http://www.osvdb.org/newuser.php.\"