Three Projects For SoC 2008
Posted by jkouns
We are pleased to report that OSVDB has been provided three projects for 2008. We would like to thank everyone that applied and encourage students that were not selected to still consider getting involved with the project. We had quite a few great applications but were unable to accept any more due to our limited mentoring resources this summer and the large number of new organizations taking part in SoC this year.
Here are the projects that were selected:
Patch Management Portal by Ronny Yabar Aizcorbe, mentored by David Shettler The system will provide a way to define when a patch should be in development, testing or production status. And will allow users the ability to select vulnerabilities and patches based on the OSVDB watch list. The main components of the tool will be: Prioritization and scheduling, Testing, Implementation and Compliance.
OSVDB Widgets and Gadgets by Marc Augustin, mentored by Chris Newby This project is intended to utilize the OSVDB as the main data source but should be a security dashboard for professionals via Gadgets and Widgets.
OSVDB Training Portal Framework by Sergios Pericleous, mentored by Jake Kouns This project will create a training framework which will aim to integrate as much as possible with the existing OSVDB portal. The portal will allow specific admin users to create training material and quizzes for end-users, and it will also allow end-users to read this training material and make comments on it, take the quizzes and receive a score, and to track their progress using a progress report and graphs.
Congrats Ronny, Marc and Sergios and we look forward to another successful summer!
Oh? As one of the co-moderators at patchmanagement.org, item 1 sounds interesting. I suspect you’ve got a typo there… “when a patched should be” doesn’t parse for me. Is this something to track a “patch” link per vuln?
We would love to have your input on the Patch Management Portal. One of the things that OSVDB has always struggled with is trying to remain pure to tracking the root vulnerabilities while also making the data useful for individuals. If Microsoft releases one patch that contains five vulns… what does the end user care about? One could argue that they only want to ensure that the patch is applied (hence they would only want to track one “patch” and not five as it would be broken out in to separate OSVDB IDs). We have run into similar concerns/questions with our Watchlist features… have you seen the new watchlist feature that tracks vendor advisories? Anyways, I believe we have some ideas on how to group vulns and/or use patch IDs while still linking to OSVDB IDs to make it useful from both viewpoints. This is definitely something that needs to be figured out this summer!
Wanna help?
While we’re on the patch bandwagon. I spent two years of my life writing a large dissertation on patch management with specific references to OSVDB @ http://singe.za.net/masters/thesis/ I would love to at least watch what you guys do.