Search This Blog

Friday, December 21, 2007

The Open-ness of the Open Source Vulnerability Database

There are a lot of open source initiatives out there that aren't just
software, but ways to get information into people's hands. Today an
open source supplier of security vulnerability information, the OSVDB,
just went live with a whole new revision to its service. According to
the web site description, OSVDB is "an independent and open source
database created by and for the security community. The goal of the
project is to provide accurate, detailed, current, and unbiased
technical information on security vulnerabilities. The project will
promote greater, more open collaboration between companies and
individuals, eliminate redundant works, and reduce expenses inherent
with the development and maintenance of in-house vulnerability databases.
[Where] Common Vulnerabilities and Exposures (CVE) provides a
standardized name for vulnerabilities, much like a dictionary, OSVDB
is database that provides a wealth of information about each
vulnerability. Where appropriate, entries in the OSVDB reference their
respective CVE names." The basic idea's pretty elegant: Take all the
ethically disclosed software security information you can find and make
it available in as detailed and up-to-date format as you can without
the interests of any particular software vendor. The results can and
have been integrated with a number of third-party security products
such as Nikto -- itself an open source product. [Note: OSVDB supports
three database types for XML importation: PostgreSQL, MySQL, and
Microsoft Access. The database may also be accessed through the XML
export file directly. The XML export was designed such that all database
integrity is stored within the structure of the XML file. By this means
anyone can keep a local copy of the current OSVDB snapshot, even in
the absence of a local database such as PostgreSQL. Another feature
of the chosen formatting is the ease in which this XML export can be
integrated into products using tools such as XPath to pull all the
information about a specific vulnerability straight from the XML file.]

No comments: