Posted by jericho
Fri, 19 Feb 2010 06:06:00 GMT
Over the years, security practitioners have been interested in specific metrics related to vulnerability timelines. Certain dates, if present, can be used to extrapolate additional information related to the timeline and vulnerability handling.
Using Vendor Informed Date and Vendor Solution Date, we can extrapolate "time to patch". This is the amount of time between the vendor learning about a vulnerability, and providing a solution (i.e., patch, workaround, upgrade).
Using Exploit Publish Date and Vendor Solution Date, we can extrapolate "time of exposure". This is the amount of time between the publishing of exploit code and the vendor providing a solution. For these vulnerabilities, there is no doubt that an attacker could exploit the vulnerability and a target has no practical solution. While any vulnerability that has been disclosed may be exploited, lack of details may make it considerably difficult or raise the bar so that only dedicated attackers could use the information. This lack of information means the time of exposure is there, but the circumstances for exploitation are questionable.
In the past, eEye prominently displayed the vendor's time to patch on their advisories. eEye also began tracking "zero day threats" that also highlighted "days of exposure". The Zero Day Initiative (ZDI) tracks time to patch for upcoming advisories as well. Unfortunately for the industry, the time to patch information was tracked just for eEye and ZDI advisories.
OSVDB has made changes to better track both time to patch and time of exposure. First, the display of the related dates has been re-worked to present a more distinct timeline, with extrapolated times below it (e.g., http://osvdb.org/22582). Second, you can now quickly browse the worst offenders:
Time of Exposure - http://osvdb.org/browse/time_of_exposure
Time to Patch - http://osvdb.org/browse/time_to_patch
Know of any offenders that aren't on these lists? Feel free to mangle the entry and add missing dates, or simply contact us with a CVE identifier, OSVDB ID or information about the vulnerability.
Posted in OSVDB News, Vulnerability Databases | no comments
Posted by jkouns
Fri, 12 Feb 2010 21:24:00 GMT
The Open Security Foundation (OSF) is an internationally recognized 501(c)(3) non-profit public organization seeking senior leaders capable of providing broad-based perspective on information security, business management and fundraising to volunteer for an Advisory Board. The Advisory Board will provide insight and guidance when developing future plans, an open forum for reviewing community feedback and a broader view when prioritizing potential new services.
OSF was founded in 2004 and has been operated by information security enthusiasts since its inception. We exist to empower all types of organizations by providing knowledge and resources so that they may properly protect, detect and mitigate information security risks. We believe that security information and services should be easily accessible for all who have the need for such information. We promote open collaboration between companies and individuals, provide unbiased information to uphold educated decision-making, and attempt to eliminate the need for redundant works while striving to improve organizations' overall security posture.
Prospective Advisory Board members should show an ability and willingness to:
-Participate actively in all meetings of the Advisory Board (2 times per year and as otherwise needed)
-Represent OSF and its mission to organizations and the general public
-Review and provide feedback for proposed OSF plans
-Chair and serve as members of committees
-Assist in locating and developing funding sources for OSF
Name:
Phone Number:
Email Address:
Area of Expertise:
The call for Advisory Board volunteers will be open until March 19, 2010. We will review all submissions by March 31, 2010.
Posted in OSVDB News | no comments
Posted by jkouns
Sat, 06 Feb 2010 06:27:00 GMT
The Open Security Foundation (OSF) has grown from a humble beginning in 2004 to an internationally recognized 501(c)(3) non-profit public organization. Through the work of a small team of dedicated information security enthusiasts, the Open Source Vulnerability Database (OSVDB) and DataLossDB projects have provided organizations of all sizes with the knowledge and resources to accurately detect, protect and mitigate information security risks. OSF research is often cited throughout the security industry and the organization was honored by being named winner of the SC Magazine's Editors Choice award for 2009.
To ensure the highest quality information that has become the trademark of OSF, a tremendous amount of effort is expended on a daily basis by OSF volunteers to process an ever increasing amount of data loss and vulnerability reports. Over the years, many volunteers have been involved in the projects, but for the most part the the heavy lifting has been the work of only a few very dedicated volunteers. The "open source" approach to resourcing the projects has been successful to date but is now proving to be an unsustainable model. With long-term sustainability and increased services as our goal, we have initiated a comprehensive review of our current operations, our existing approach to project funding and the creation of potential new services for the security community.
As a start, we plan to do a better job of sharing our view on the state of the information security industry and creating a mechanism to gain community feedback to better establish our vision for the OSVDB and DataLossDB projects.
To that end I want to take a moment to share our initial plans for 2010.
The OSF officers and project leads have been dedicated to the daily operations required to make OSVDB and DataLossDB the recognized leader in vulnerability and data loss tracking. This focused dedication has left little time to take the pulse of the industry as it relates to our projects or to establish a clear long-term vision for the projects. To address this need, OSF will be creating an Advisory Board. The board will consist of three to five senior leaders capable of providing broad based perspective on information security, business management and fundraising. It is our hope that this will provide a sounding board when developing future plans, an open forum when reviewing community feedback and a broader view when prioritizing potential new services. Additional information along with an official call for Advisory Board nominations is planned for 2/12/2010.
Direct unfiltered feedback from both the security community as well as the organizations that benefit from our projects is critical. Over the next few weeks, we plan to post a public survey asking for feedback that will help shape our long-term vision and establish our near-term plans for OSVDB and DataLossDB. Those of you who value the work that the OSF provides and/or consider yourselves friends and supporters of OSF are asked to help spread the word to maximize the feedback provided.
Feedback from the survey will be the foundation for the OSF vision and 2010 plan. Our goal is to present a draft of both the vision and the 2010 plan to the newly formed Advisory Board by mid-April 2010. Once finalized, both documents will be shared with the information security community.
OSF has been recognized for providing a critical service to the information security community but our potential is much greater. We look forward to hearing your ideas on how OSF can further improve the state of security while building a stronger organization to deliver even higher quality research and additional services.
Chairman, Open Security Foundation
Posted in OSVDB News | no comments
