A new entry has been added to the news database.
Database Admin: http://www.postgresql.org/admin/edit_news.php?174
Submitted by: tyler@scurn.net
Headline: Open Source Vulnerability Database Goes Live
Summary:
The Open Source Vulnerability Database (OSVDB), a project to catalog and describe the Internet\'s security
vulnerabilities,opened for public use on 31 March 2004.
Story:
The Open Source Vulnerability Database (OSVDB), a project to catalog and describe the Internet\'s security
vulnerabilities,opened for public use on 31 March 2004.
The OSVDB project was launched in 2002 following a realization in the security community that no independent,
community-operatedvulnerability database existed. There were, and still are, numerous vulnerability databases. Some of
thesedatabases are managed by private interests to meet their own requirements, while others contain a limited subset
ofvulnerabilities or have significant restrictions on their content. None are simultaneously comprehensive, open for
freeuse, and answerable to the community. The OSVDB\'s organizers set out to implement a vulnerability database that
meetsall those requirements.
The OSVDB project has been successful in fulfilling its original objectives. The project concentrated at first on
establishinga core group of project organizers, on creating the technical infrastructure to collect and validate
vulnerabilitydata, and on building a team of contributors to create the open-source vulnerability records. These goals
havebeen met, and the OSVDB team is now planning its next stage of growth. After a significant period of development -
ineffect, an \"alpha\" release - it has been opened to the public as of 31 March 2004 at http://www.osvdb.org/.
A GROWING PROBLEM
According to CERT\'s statistics, the number of computer security vulnerabilities found each year has risen over two
thousandpercent since 1995. Tracking these vulnerabilities and their cures is critical for those who protect networked
systemsagainst accidental misuse and deliberate attack, from home users and small businesses to globe-spanning
enterprises.
Annual vulnerability announcements number in the thousands, well beyond the capacity for human memory to manage.
Well-organizeddatabases, with verified contents and flexible search abilities, are required if these vulnerabilities
areto be controlled by the security community. The OSVDB provides the necessary structure, technology, and content to
supportthat community requirement for vulnerability management.
AN OPEN SOLUTION
The OSVDB\'s main goal is to be complete and to be without bias. It should serve as one-stop shopping for all
vulnerabilityneeds. Developers creating vulnerability-assessment tools, system administrators protecting servers and
networks,business staff assessing risks and remedies, academic researchers documenting analyzing the past and future of
networksecurity: all expend effort to identify vulnerabilities, all work to document them consistently, all can benefit
froma single, comprehensive source of vulnerability data. The OSVDB is this source, reducing duplication of effort
whileit promotes data consistency.
The OSVDB is unbiased and neutral in its practices for accepting, reviewing, and publishing vulnerabilities. Its open
acceptanceof community input and internal review processes ensure that the vulnerability database is not colored by
vendor-relatedbiases. OSVDB organizers believe that more than one vulnerability database is needed to meet the full
varietyof community requirements. While it references the other vulnerability databases, it develops its own database
entriesto ensure that there are no restrictions on distribution and re-use of the OSVDB vulnerability data: its
contentsare free of cost and free of restrictions on use.
FUTURE DIRECTIONS
Licensing
Research and analysis of licensing alternatives for the OSVDB products and services are underway. The OSVDB project
teamexpects to produce the final project license in the second quarter of 2004. In the meantime, a working-draft
licenseis in force (see the OSVDB website at http://www.osvdb.org/license.php).
Formal non-profit standing
The OSVDB team is currently working to provide the required legal status by incorporating an organization under United
Stateslaw. The organization, tentatively named the Open Security Foundation, will be a private not-for-profit
foundation.Its mission is to make information-technology (IT) security information and services freely available to all
whoneed it. The foundation\'s initial project will be the Open Source Vulnerability Database, but it will be capable of
hostingadditional security projects and will actively seek out suitable ones.
OSVDB ethical vulnerability disclosure
The OSVDB\'s policy on the release of vulnerability information will incorporate clear guidelines on the timing of
notificationto the product developer, and of notification to the open security community. The OSVDB\'s approach will
supportan ethical and predictable process for this release. The policy is expected to be published in the second
quarterof 2004.
Recruitment
An open-source project succeeds or fails based on the support of its volunteer participants. The long-term viability of
theOSVDB project depends on continuous success in recruiting new participants, and in recognizing the contributions of
thosewho work within the project. Programs and initiatives to publicize the OSVDB\'s work and to recruit new
participantswill be pursued in the second quarter of 2004 and continuously after that.
Expansion of the vulnerability database
In its initial development phase, the OSVDB project created an online content-management system to add vulnerability
recordsto the database. The system supports the initial research and creation of records, the review process, and
incorporationof the finalized records into the public database. Throughout initial use and testing, the system has been
improvedcontinuously to streamline the needed tasks and to make it easier to perform the research and cross-referencing
neededto complete a vulnerability record. This focus on ease of use will help contributors work efficiently and will
speedthe creation of vulnerability records, leading to the desired expansion of the vulnerability database.
Advanced vulnerability retrieval
The vulnerability database is currently available in its entirety from the OSVDB website. The OSVDB is developing tools
tomake it easy to search the vulnerability database on-line so that straightforward queries are easy to make. For those
requiringa higher degree of automation in querying and retrieving vulnerabilities, an XML-formatted version of the
databasewill be developed so that automated processes can query it remotely. The OSVDB system will also prototype
automatedposting of vulnerabilities through an RSS-like \"push\" mechanism. Subscribers will receiver each new
vulnerabilityat the moment it is cleared into the database, and can choose to set customized filters to receive a
subsetof those records as needed. These new features are intended to be put in place over the second and third quarters
of2004.
Active integration with vulnerability tools
Tracking existing and new vulnerabilities is one of the toughest challenges for developers of security tools. OSVDB is
workingto streamline the process of identifying and setting priorities for the vulnerabilities it provides to tool
developerslike the Nessus, Snort, and Nikto projects. In brief, the OSVDB will assist vulnerability-tool developers to
identifyvulnerabilities that are not already represented in their products, and will provide a way to identify the
high-priorityvulnerabilities for immediate attention.
CONCLUSION
The OSVDB is relatively new in the arena of open-source projects. It was first conceived in the summer of 2002, and has
alreadyput in place much of the organization, technology, and process needed to meet its initial goals. Continuing to
buildon that foundation, however, will allow the OSVDB to become more useful and more central to the
information-technologysecurity community. The upcoming year promises not just incremental improvements to the OSVDB,
butalso innovations to the existing legal and organizational structure of the project, a focus on recruitment of
projectparticipants, and technical advances to make the project even more valuable to the security community. The OSVDB
onlinesystem can be found at www.OSVDB.org.
Complete information on the OSVDB\'s aims and objectives can be found at: http://osvdb.org/documentation.php
MORE INFORMATION
Jacob (Jake) Kouns Open Source Vulnerability Database Project: jkouns@osvdb.org
JOIN THE PROJECT
The network needs YOU! Check out the project FAQs at http://www.osvdb.org/faq.php, then join using the form at
http://www.osvdb.org/newuser.php.\"