Posted by lyger
Wed, 17 Jun 2009 04:05:00 GMT
Like many nights, Jericho and I had a conversation. Unlike many nights, this one might actually be of interest to someone other than us (this pertains to how OSVDB gets new data into queue):
jericho (6/16/2009 8:48:48 PM): Original Advisory: FEDORA-2009-5368:
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00731.html
Lyger (6/16/2009 8:48:57 PM): so just need to bump the scrape down a line
Lyger (6/16/2009 8:50:32 PM): takes an extra 10 seconds per vuln
Lyger (6/16/2009 8:50:39 PM): but multiply by 100
Lyger (6/16/2009 8:50:43 PM): adds up
jericho (6/16/2009 8:50:56 PM): yep
jericho (6/16/2009 8:51:09 PM): "only takes a second"
jericho (6/16/2009 8:51:16 PM): this was when i averaged 100 ndm a day
Lyger (6/16/2009 8:51:32 PM): 10 seconds, 20 vulns a day for me...
Lyger (6/16/2009 8:51:43 PM): three minutes per day
Lyger (6/16/2009 8:51:51 PM): 20 minutes a week
Lyger (6/16/2009 8:51:58 PM): 1.5 hours a month
Lyger (6/16/2009 8:52:00 PM): etc etc
Think about that: something that "only takes a second" seems somewhat insignificant in a single instance, but when you multiply it over days, weeks, months... years... the time adds up. To be honest, time is what we (OSF) have been fighting against for years. If we individually spend an extra ten seconds working on one vulnerability, just to add references or classifications, no big deal, right? But then you might see that if we work on 20 or 30 a day, that's an extra 4 or 5 minutes a day, about an extra 30 minutes a week, around two hours a month, and approximately one day out of a year.
Personally, I'd like to have my day back (when I can get it, preferably somewhere in Hawaii and on the OSF dime).
For quite a while, we've been asking for volunteers to spend maybe even 15 minutes a week on this project. That would add up to an hour a month, and multiplying that by even 10 solid hardcore volunteers (or 50 occasional ones) would be amazing. They would get no pay and no benefits, but maybe a t-shirt, a "thank you", and a feeling of giving something back to the security community. All for even 15 minutes a week...
Or about two minutes a day...
YMMV.
Posted in OSVDB News | no comments
Posted by jericho
Sat, 25 Apr 2009 10:55:00 GMT
Steve Christey w/ CVE recently posted that trying to keep up with Linux Kernel issues was getting to be a burden. Issues that may or may not be security related, even Kernel devs don’t fully know. While this is a good example of the issues VDBs face, it’s really the tip of the iceberg. Until their recent adoption of CVE identifiers, trying to distinguish Oracle vulnerabilities from each other was what you did as a gentle relief from a few hours of being water-boarded. Lately, Mozilla advisories are getting worse as they clump a dozen issues with "evidence of memory corruption" into a single advisory, that gets lumped into a single CVE. Doesn’t matter that they can be exploited separately or that some may not be exploitable at all. Reading the bugzilla entries that cover the issues is headache-inducing as their own devs frequently don’t understand the extent of the issues. Oh, if they make the bugzilla entry public. If the Linux Kernel devs and Mozilla browser wonks cannot figure out the extent of the issue, how are VDBs supposed to?
Being "open source" isn’t some get-out-of-VDB free card. You’re supposed to be better than your closed-source rivals. You’re supposed to care about your customers and be open about security issues. An advisory full of "may" and "evidence of" is nothing more than a FUD-filled excuse to blindly upgrade without understanding the real threat or exposure to the end-user.
Steve’s post is a good view of how some VDBs feel about the issue: http://marc.info/?l=oss-security&m=124061708428439&w=2
Tonight, I followed-up on his thoughts and gave more of my own (original: http://marc.info/?l=oss-security&m=124065500729868&w=2):
–
A question, really?
I’d like to reiterate what Steve Christey said in the last 24 hours, about the Linux Kernel vulnerabilities becoming a serious drain on CVE. Historically, OSVDB has relied on Secunia and CVE to sort out the Linux Kernel vulnerability messes. Both VDBs have full time staff that can dedicate time to figuring out such nuances as those above.
Not to pick on Eugene specifically, but I feel he makes a great example of my point. Nuances that a "Senior Security Engineer at Red Hat" who specialies in "OS and Application Security, Project Management, Vulnerability Analysis, Code-level Auditing, Penetration Testing, Red Hat Products and Services, Financial Services Technical Account Management" cannot definitely distinguish between difference in Kernel vulnerabilities. If Eugene cannot say with certainty these deserve two CVE numbers, how can Steve or his staff?
VDBs deal with thousands of vulnerabilities a year, ranging from PHP applications to Oracle to Windows services to SCADA software to cellular telephones. We’re expected to have a basic understanding of ‘vulnerabilities’, but this isn’t 1995. Software and vulnerabilities have evolved over the years. They have moved from straight-forward overflows (before buffer vs stack vs heap vs underflow) and one type of XSS to a wide variety of issues that are far from trivial to exploit. For fifteen years, it has been a balancing act for VDBs when including Denial of Service (DOS) vulnerabilities because the details are often sparse and it is not clear if an unprivileged user can reasonably affect availability. Jump to today where the software developers cannot, or will not tell the masses what the real issue is.
This isn’t just a Linux Kernel issue at all. The recent round of advisories from Mozilla contain obscure wording that allude to "memory corruption" implying arbitrary code execution. If you follow the links to the bugzilla reports, the wording becomes a quagmire of terms that not even the developers can keep up on [1] [2]. That’s if they even open the bugzilla entry reference in the advisory [3]. Again, how are people not intimately familiar with the code base supposed to understand these reports and give a reasonable definition of the vulnerability? How do we translate that mess of coder jargon into a 1 - 10 score for severity?
It is important that VDBs continue to track these issues, and it is great that we have more insight and contact with the development teams of various projects. However, this insight and contact has paved the way for a new set of problems that over-tax an already burdened effort. MITRE receives almost 5 million dollars a year from the U.S. government to fund the C*E effort, including CVE [Based on FOIA information]. If they cannot keep up with these vulnerabilities, how do their "competitors", especially free / open source ones [5], have a chance?
Projects like the Linux Kernel are familiar with CVE entries. Many Linux distributions are CVE Numbering Authorities, and can assign a CVE entry to a particular vulnerability. It’s time that you (collectively) properly document and explain vulnerabilities so that VDBs don’t have to do the source code analysis, patch reversals or play 20 questions with the development team. Provide a clear understanding of what the vulnerability is so that we may properly document it, and customers can then judge the severity of issue and act on it accordingly.
I believe this is a case where over-exposure to near-proprietary technical details of a product have become the antithesis of closed-source vague disclosures like those from Microsoft or Oracle [Which are just as difficult to deal with in a totally different way.].
(update: We’re now aware of comments not working and feedback not being submitted, we’ll get that resolved ASAP. In the mean time, please mail feedback to moderators[at]osvdb.org)
Posted in Vulnerability Databases | no comments
Posted by lyger
Wed, 22 Apr 2009 16:42:00 GMT
Festivities in San Francisco wrapped up last night, and OSF was presented with SC Magazine’s 2009 Editor’s Choice Award. Thanks to everyone who has supported OSF in the past and present, and we definitely hope you’ll continue to support us in the future!
http://attrition.org/news/content/09-04-22.001.html
Posted in OSVDB News | no comments
Posted by jkouns
Thu, 16 Apr 2009 02:37:00 GMT
A few members of the Open Security Foundation will be at RSA for a couple days. If anyone is going to be there and would like to meet up please let us know. At this point, we have most of the day on Tuesday open. Also, if you have any free day passes to the conference let us know that as well! =)
Posted in OSVDB News | no comments
Posted by jkouns
Wed, 25 Feb 2009 06:55:00 GMT
We just recently noticed that OSVDB was discussed during a podcast called Faceoff started by Jade Robbins and Mark Sanborn. In Episode 5: Scaling to Hit it Big, at about 19:54, they talk about OSVDB for several minutes. They cover the project in general and also review several of the basic features of OSVDB and how someone can use the site. They speak about the search capabilities and even mention that OSVDB has a vulnerbaility from back in 1965. This was submitted by Ryan Russell as part of our oldest vulnerability contest and I can now say Ryan has finally received his OSVDB schwag….. only took a couple years for him to get it! =)
They also explain how in addition to the website that the OSVDB database itself can be downloaded and used as well. To clarify a point they discuss, once you create an account with OSVDB you can download the database as many times as you want. They also spend some time discussing our Watchlist feature which I thought was pretty cool that it was mentioned. For those that are not aware, when you create an account you can then setup two types of Watchlists.
- The Vendor/Product Watch list
- This watchlist will alert you to vulnerabilities for specific products that you subscribe to. Alerts are generated when a vulnerability is updated to include the product and vendor information. Soon, we may introduce a feature that will enable alerting as soon as the vulnerability is processed through our systems.
- The Mailing List Aggregation Watch list
- OSVDB allows you to subscribe to roughly 20 vendor advisory mailing lists. The advisory mailings are sent to OSVDB, we process them, and forward them on to you. That way, rather than managing 20 individual advisory subscriptions, you only need to manage one through OSVDB.
Thanks to the guys at Faceoff for their support and it is worth listening to the entire podcast. It did make us laugh a bit as they commented at one point that Wordpress has all kinds of vulnerabities. Most of our dedicated readers know the ongoing Wordpress issues we had and our eventually move away from it! =)
Thanks also to Ryan Heimbuch for suggesting OSVDB to be reviewed.
OSVDB can also now be followed on Twitter: http://www.twitter.com/osvdb
Posted in OSVDB News | no comments
Posted by jericho
Wed, 18 Feb 2009 03:31:00 GMT
This is a question OSVDB moderators, CVE staff and countless other VDB maintainers have asked. Today, Gunter Ollmann with IBM X-Force released his research trying to answer this question. Before you read on, I think this research is excellent. The relatively few criticisms I bring up are not the fault of Ollmann’s research and methodology, but the fault of his VDB of choice (and *every* other VDB) not having a complete data set.
Skimming his list, my first thought was that he was missing someone. Doing a quick search of OSVDB, I see that Lostmon Lords (aka ‘lostmon’) has close to 350 vulnerabilities published. How could the top ten list miss someone like this when his #10 only had 147? Read down to Ollmann’s caveat and there is a valid point, but sketchy wording. The data he is using relies on this information being public. As the caveat says though, "because they were disclosed on non-public lists" implies that the only source he or X-Force are using are mail lists such as Bugtraq and Full-disclosure. Back in the day, that was a pretty reliable source for a very high percentage of vulnerability information. In recent years though, a VDB must look at other sources of information to get a better picture. Web sites such as milw0rm get a steady stream of vulnerability information that is frequently not cross-posted to mail lists. In addition, many researchers (including lostmon) mail their discoveries directly to the VDBs and bypass the public mail lists. If researchers mail a few VDBs and not the rest, it creates a situation where the VDBs must start watching each other. This in turn leads to "VDB inbreeding" that Jake and I mentioned at CanSecWest 2005, which is a necessary evil if you want more data on vulnerabilities.
In May of 2008, OSVDB did the same research Ollmann did and we came up with different results. This was based on data we had available, which is still admittedly very incomplete (always need data manglers.) So who is right? Neither of us. Well, perhaps he is, perhaps we are, but unfortunately we’re both working with incomplete databases. As a matter of my opinion, I believe OSVDB has better coverage of vulnerabilities, while X-Force clearly has better consistency in their data and a fraction of the gaps we do.
Last, this data is interesting as is, but would be really fascinating if it was mixed with ‘researcher confidence’ (a big thing of Steve Christey/CVE and myself), in which we track a researcher’s track record for accuracy in disclosure. Someone that disclosed 500 vulnerabilities last year with a 10% error rate should not be above someone who found 475 with a 0% error rate. In addition, as Ollmann’s caveat says, these are pure numbers and do not factor in hundreds of XSS versus remote code execution in operating system default install services. Having a weight system that can be applied to a vulnerability (e.g., XSS = 3, SQLi = 7, remote code exec = 9) that is then factored into researcher could move beyond "who discovered the most" and perhaps start to answer "who found the most respectable vulnerabilities".
Posted in Vulnerability Disclosure, Vulnerability Statistics | no comments
Posted by lyger
Thu, 01 Jan 2009 05:24:00 GMT
OSVDB would like to wish everyone a happy and hopefully prosperous new year! 2008 was pretty cool for us as far as enhancements and support of OSVDB 2.0 go, and we were very happy to add over 11,000 new vulnerabilities to the database in the last year. We currently have over 51,000 vulnerabilities in the database to start the new year, and would like to invite everyone to please consider adding to this resource, whether you have a user account or not. We can use (and will gladly accept) as much help and input as we can get, so if you’re lacking a new year resolution, maybe consider an hour a week to assist the security industry gather and share knowledge about vulnerabilities.
OSVDB Account Signup
If you have any questions, comments, or ideas, please contact us at moderators@osvdb.org
General information can be found at Opensecurityfoundation.org
Happy new year, everyone!
Posted in OSVDB News | no comments
Posted by jkouns
Fri, 21 Nov 2008 05:31:00 GMT
From time to time we take a moment as a team to reflect on the project. In most cases a major milestone occurs and gets us to think about OSVDB and the security industry. Today OSVDB went over 50,000 entries in the database. One must keep in mind that these are only vulnerabilities that the industry knows about or have been made public. It has been said before that until you can truly measure something and express it in numbers you have only the very beginning of understanding on the subject. OSVDB continues to promote a greater understanding by providing accurate, detailed, current, and unbiased technical information on security vulnerabilities.
Posted in OSVDB News | no comments
Posted by d2d
Tue, 11 Nov 2008 03:50:00 GMT
The Open Security Foundation is looking for a few good Ruby on Rails developers to help us on a volunteer basis in developing and enhancing osvdb.org, as well as datalossdb.org.
We need folks who are interested in security, with a background in Ruby on Rails development.
For helping on OSVDB, you really need to have a solid understanding in these areas:
- Single-table inheritance
- SOLR
- html/css/js
Dataloss DB isn’t as complex. A volunteer needs only to be experienced with REST and have already worked on RoR projects, but also have knowledge and experience with SOLR to help with the learning curve!
Both projects require experience with Subversion, and decent written communication skills.
If you’re interested in helping out, we encourage you to email us at:
moderators@osvdb.org (for OSVDB work), or curators@datalossdb.org (for datalossdb.org work).
In your email, please send a quick and informal resume with links to Ruby on Rails work you’ve done in the past, or projects you’re currently working on.
It’s not a job… it’s an adventure (or a hobby, or just a way to do something important for the InfoSec community!)
Posted in OSVDB News | no comments
Posted by jkouns
Fri, 01 Aug 2008 03:35:00 GMT
The OSVDB team will definitely be in Vegas this year. If you would like to meet up then please drop a line to moderators@osvdb.org and let us know. Typically we organize an OSVDB dinner but we have been a little slack in organizing it this year! If you are interested let us know and we will see what we can make happen…………………..
Look forward to seeing everyone soon………
Posted in OSVDB News | 4 comments
