The OSVDB team will definitely be in Vegas this year. If you would like to meet up then please drop a line to email@example.com and let us know. Typically we organize an OSVDB dinner but we have been a little slack in organizing it this year! If you are interested let us know and we will see what we can make happen…
Look forward to seeing everyone soon…
The Open Security Foundation (OSF) is pleased to announce that the DataLossDB (also known as the Data Loss Database – Open Source (DLDOS) currently run by Attrition.org) will be formally maintained as an ongoing project under the OSF umbrella organization as of July 15, 2008.
Attrition.org’s Data Loss project, which was originally conceptualized in 2001 and has been maintained since July 2005, introduced DLDOS to the public in September of 2006. The project’s core mission is to track the loss or theft of personally identifying information not just from the United States, but across the world. As of June 4, 2008, DataLossDB contains information on over 1,000 breaches of personal identifying information covering over 330 million records.
DataLossDB has become a recognized leader in the categorization of dataloss incidents over the past several years. In an effort to build off the current success and further enhance the project, the new relationship with OSF provides opportunities for growth, an improved data set, and expanded community involvement. “We’ve worked hard to research, gather, and make this data open to the public,” says Kelly Todd, one of the project leaders for DataLossDB. “Hopefully, the migration to OSF will lead to more community participation, public awareness, and consumer advocacy by providing an open forum for submitting information.”
The Open Security Foundation’s DataLossDB will be free for download and use in non-profit work and research. The new website launch (http://www.datalossdb.org/) builds off of the current data set and provides an extensive list of new features. DataLossDB has attained rapid success due to a core group of volunteers who have populated and maintained the database. However, the new system will provide an open framework that allows the community to get involved and enhance the project. “For a data set as dynamic as this, it made sense to build it into a more user-driven format.”, states David Shettler, the lead developer for the Open Security Foundation. “With the release of this new site, the project can now be fed by anyone, from data loss victims to researchers”.
The DataLossDB’s mail list will continue to be available to over 1,500 current subscribers and will accept new subscriptions under the Attrition.org banner until a migration to OSF has been completed. RSS feeds will also be available under the OSF banner for timely alerts about new and updated data loss events. We expect this transition to be completed in the coming months without impact to current subscribers.
Open Security Foundation’s DataLossDB is an open source community project that strives to provide a clear understanding of data loss issues and needs your support. Assistance can be provided through database updates, project leadership, word-of-mouth promotion, financial donations, and sponsorship to assist with the ongoing maintenance of the project. “The DataLossDB project provides a critical service that enables detailed analysis on the true impact of data loss.”, says Jake Kouns. “The Open Security Foundation is in a perfect position to support the expansion of the DataLossDB project.” Any entities interested in licensing the database for commercial ventures are encouraged to contact OSF.
OSVDB is featured in the June issue of the Open Source Business Resource (OSBR) and is now available at the OSBR website. We were contacted and asked if we would like to include our original OSVDB Aims white paper in the issue. This was really the prompting that we needed to take the time to update the project’s successes since the launch and provide some additional information about the future of OSVDB.
We would like to thank Dru Lavigne and OSBR for their support and encourage you to take a look at the issue. The OSVDB article can be found at: http://www.osbr.ca/ojs/index.php/osbr/article/view/607/568
OSBR’s editorial theme for June is “Security” and here is a listing from the table of contents:
Jake Kouns, president of the Open Security Foundation, introduces the Open Source Vulnerability Database Project. David Maxwell, Open Source Strategist at Coverity, discusses the findings from Coverity’s analysis of over 55 million lines of open source code. Robert Charpentier from Defence Research Establishment Valcartier and Mourad Debbabi, Azzam Mourad and Marc-André Laverdière from Concordia University present a summary of their research into providing security hardening for the C programming language. Frederic Michaud and Frederic Painchaud from Defence Research and Development Canada describe their evaluation of automated tools that search for security bugs. Key messages from Carleton University’s Stoyan Tanev’s recent presentation on technology marketing trends and the Eclipse Foundation’s Ian Skerrett’s presentation on building successful communities. Michael Geist, Canada’s Research Chair of Internet and E-commerce Law, explains why the proposed Bill C-61 does not address the rights of Canadians. Alan Morewood from Bell Canada provides an example of open source meeting a business need.
Next months editorial theme is “Accessibility” – contact the OSBR Editor if you are interested in a submission.
Who is the top vulnerability researcher? Who has discovered the most computer security vulnerabilities? Which country has the most researchers and publishes the most vulnerabilities? Who has discovered the most critical vulnerabilities?
From looking at OSVDB here are the top 12 researchers in terms of volume:
Rank / Creditee / # Vulns
- r0t 770
- Lostmon Lords 241
- rgod 239
- Aliaksandr Hartsuyeu 201
- Kacper 199
- James Bercegay 180
- luny 142
- Diabolic Crab 139
- Janek Vind “waraxe” 136
- JeiAr 117
- Dedi Dwianto 86
- M.Hasran Addahroni 79
Take a look at the other OSVDB Browse categories and note you can even click on a Creditee’s name and see all of the vulnerabilities that they have discovered here: http://osvdb.org/browse
Of course our statistics are based off of the content in OSVDB and we need your help to provide better statistics. If you are a researcher, it would help if you could take the time to create an OSVDB account and update the vulnerabilities that you have discovered!
You can signup for an OSVDB account here: https://osvdb.org/account/signup
Here is a quick overview:
- Search for your vulnerabilities at http://osvdb.org/search/advsearch
- Click on your vuln, then click “Edit Vulnerability” -Click the Credits menu item, if credit is missing click “Toggle Add Author…”
- You name may already be in the database, as you type it will search OSVDB to see if your information is there. If so, select and click “Add Author”.
- Once you add the creditee information you can update your information or if your name is not there you can add it as a new creditee.
Rinse and repeat!
Layered Technologies has provided hosting for the OSVDB production and development servers since October 2007 and continues to support the project. The new servers have been a critical contributing factor to the success and deployment of OSVDB 2.0. In fact, OSVDB 2.0 and the new services that we are now offering have been more resource intensive than we originally thought and we must upgrade.
On Friday, May 16th at 9pm EST we will be taking the OSVDB server offline. The outage should be minimal and service will be restored as soon as possible.
We would like to take a moment to thank Jeremy Suo-Anttila for his assistance and support of the OSVDB project. If you are interested in high quality but affordable hosting with very responsive support we recommend that you contact Layered Technologies.
We are pleased to report that OSVDB has been provided three projects for 2008. We would like to thank everyone that applied and encourage students that were not selected to still consider getting involved with the project. We had quite a few great applications but were unable to accept any more due to our limited mentoring resources this summer and the large number of new organizations taking part in SoC this year.
Here are the projects that were selected:
Patch Management Portal by Ronny Yabar Aizcorbe, mentored by David Shettler The system will provide a way to define when a patch should be in development, testing or production status. And will allow users the ability to select vulnerabilities and patches based on the OSVDB watch list. The main components of the tool will be: Prioritization and scheduling, Testing, Implementation and Compliance.
OSVDB Widgets and Gadgets by Marc Augustin, mentored by Chris Newby This project is intended to utilize the OSVDB as the main data source but should be a security dashboard for professionals via Gadgets and Widgets.
OSVDB Training Portal Framework by Sergios Pericleous, mentored by Jake Kouns This project will create a training framework which will aim to integrate as much as possible with the existing OSVDB portal. The portal will allow specific admin users to create training material and quizzes for end-users, and it will also allow end-users to read this training material and make comments on it, take the quizzes and receive a score, and to track their progress using a progress report and graphs.
Congrats Ronny, Marc and Sergios and we look forward to another successful summer!
Google will continue to accept student applications until Monday, March 31, 2008! Please help spread the word and encourage all eligible students to apply to OSVDB or one of the other security related projects!
OSVDB: The Open Source Vulnerability Database: http://osvdb.org/blog/?p=231
OSSIM: Open Source Security Information Management: http://www.ossim.net/dokuwiki/doku.php?id=ideas
Nmap Security Scanner: http://nmap.org/GoogleGrants.html
The Electronic Frontier Foundation/Tor Project: https://www.torproject.org/volunteer.html.en#Projects
Umit: A Nmap Frontend: http://www.umitproject.org/?active=gsoc&mode=ideas
Freenet Project Inc: http://wiki.freenetproject.org/SummerOfCode2008
Organizations by programming language: http://eflow.org/wiki/index.php?Mentors_by_language
Organizations by category: http://genmapp.org/gsoc/mentors_by_category.htm
OSVDB has been accepted for Google’s Summer of Code for 2008. Please help spread the word and encourage all eligible students to apply for an OSVDB project! Google will begin accepting student applications on Monday, March 24, 2008!
If you have any questions or would like some more details about our project ideas please get in touch with us!
Google Summer of Code 2008 is officially on. Full details at http://code.google.com/soc/2008/
OSVDB has submitted an application and has been accepted. With our Summer of Code project work, we hope to build off the release of OSVDB 2.0 and develop new enhancements to OSVDB’s public services. Here is this years list of ideas/important projects, however we are open to proposals for other projects and ideas.
OSVDB Port Listing Project – Preferred language is Ruby on Rails We are looking to create a project that will be a central repository for all known ports and protocols. This will be the foundation of many new features such as referencing ports/protocols to OSVDB IDs. This will then allow OSVDB vulnerabilities to be better mapped to firewall rules, IDS alerts and potential integrations to other security projects such as NMAP. -This project should detail all well known/default/registered ports -This project must have a automated feature that can import port information from iana.org as a baseline (PORT NUMBERS) -This project must allow users to submit updates/edits wiki style -This project needs to include fields for necessary tracking including: Keywords, Number, Transport (TCP, UDP, ICMP, etc), Application, Links, Description
OSVDB Training Portal Framework – Preferred language is Ruby on Rails This project is to create a flexible framework that can provide training on security issues. OSVDB is looking to not only provide information on vulnerabilities but be a repository for training information that will help educate end users on how to avoid security risks and developers on how to avoid coding insecure applications. -This project must be able to integrate with the existing OSVDB portal -This project must have an interface that allows users to create their own training material -This project must have an interface that allows users to create their own training quizzes -This project must have an interface to provide reports and track the results.
-A user needs to be able to creates a custom quiz or select from a list of OSVDB published quizzes. -A user needs to be able to send a quiz to multiple people by inputting email addresses. -The system will track the quiz and results based on the emails that are sent via the training portal. -This project should allow users to provide comments and coaching information in a wiki style to help educate -The project will ultimately cross reference OSVDB IDs: For example: when a user is viewing a specific vulnerability it will allow them to then take a training course and a quiz to test their knowledge
OSVDB Personal Edition Phase II – Preferred language is Ruby on Rails We released the OSVDB Personal Edition and it is a very small Ruby on Rails application that utilizes the SQLite database export to give you your own, albeit relatively feature-less, local OSVDB instance. This project is intended to take the OSVDB Personal Edition to the next level. -This project will provide improvements and a seamless installation package -This project will include new search features -This project will include new features defined by you!
OSVDB Widgets and Gadgets – Preferred language is open for discussion! OSVDB has a very strong online feature set but a user needs to be logged in to use the services. This project is intended to utilize the OSVDB as the main data source but should be a security dashboard for professionals.
-Gadgets and Widgets should work for OSX and/or Vista -Should provide security news updates from multiple sources -Should provide alerts when new alerts from vendors are released -Should provide alerts for new vulnerabilities added to the OSVDB database -Should provide search capabilities for OSVDB -Must be able to support OSVDB API functionality
OSVDB Statistics Project – Preferred language is Ruby on Rails This project is to create a flexible framework that can provide useful statistics on vulnerabilities from OSVDB. This project should take in consideration all of the fields and classifications in OSVDB. -Should create and generate standard/most popular graphs and charts each day and make available -Should create statistics that allows very flexible/detailed stats to be dynamically generated on demand by user -Some examples of statistics required: -# Vulns based on Disclosure Year -Detailed stats based on each vuln classification options (ALL OPTIONS) -# of vulns by Vendor -# of vulns by Product -# of vulns that do not have a solution (and by vendor) -Time from when a vuln was discovered and then disclosed -Create stats application that allows user to dynamically generate stats based on their own requirements. -Trend the number of vulns released per day
OSVDB Vulnerability Visual Mapping – Preferred language is open for discussion! This project is to create a visual mapping of all vulnerabilities in OSVDB. This will allow users to visually search the database and also to see the relationships between vulnerabilities. Have you ever seen music plasma? This could be pretty challenging but we have been wanting to see this project done for a long time!
Vulnerability and Patch Management Portal – Preferred language is Ruby on Rails This project is to create a flexible framework that can provide organizations the ability to track and manage vulnerabilities and patches. OSVDB is looking to not only provide information on vulnerabilities but be a service that can provide security professionals a way to track and ensure that vulnerabilities have been addressed at their organization. -This project must be able to integrate with the existing OSVDB portal -Should allows users to manage life cycle of vulns and patches -Should allow user the ability selects vulnerabilities or patches based on OSVDB watchlist -Should create a lifecycle that will alert a user when a new vulnerabilities or patch is released and goes into the portal -User then can track their organizations progress including: Research, Test, Implementation, Closure -The project should allows an organization to show compliance with vulnerabilities and patches
Vulnerability Cross References and Scraper – Preferred language is Ruby on Rails and open for discussion! OSVDB is a project that aims to have as many references to vulnerabilities as possible. Unfortunately, in most cases volunteers have to search by hand to find more information to add to an entry. The goal of this project to to create a module that can search multiple security resources and cross references OSVDB entries to other resources. -Cross reference OSVDB IDs and provide references that are missing -Search the following (all external references OSVDB uses) for a string: Bugtraq, Bugtraq Mailing List, CVE, Full-Disclosure Mailing List, ISS X-Force, Nessus, OSVDB, Packetstorm, Secunia, Securiteam, Security Tracker, Snort -Search the resources based on user supplied check boxes for refined/targeted searches -Offer simple search, pull back just a summary of findings -Offer recursive search for some sites. If the entry at another site (for example CVE) is known then it should be an option to pull back all of the other references in that entry as well -Should be a framework that allows new security sites to be added when they become available -Should run once a night and look at all entries (even old ones) to see if there are more references that can be added.
-There should be some kind of approval process or a quick way that we can automatically add the references to the appropriate IDs.
New security project? New security scanner? New OSVDB feature? – Preferred language is open for discussion! -Have an idea for a new security scanning tool? -Have an idea for a new features that is missing from OSVDB? -Have an idea that can use information from our web sacnning database? -Have an idea for a security scanner that searches local server for vulnerable scripts?
OPEN SOURCE VULNERABILITY DATABASE (OSVDB) 2.0
RICHMOND, VA, December 15, 2007 – OSVDB announced a major milestone in the cataloging, classification, description and management of software and hardware security vulnerabilities: The release of OSVDB 2.0, a complete rewrite of the web site using Ruby on Rails, provides substantial performance and reliability improvements for both developers and researchers. “OSVDB 2.0 will help evolve stagnant Vulnerability Databases and position OSVDB as the go-to security vulnerability database,” says Brian Martin, one of the project leaders.
OSVDB, a recognized leader in providing services to the security industry for the past five years, has cataloged nearly 40,000 vulnerabilities, with the help of over 300 volunteers, while gaining industry recognition and vendor support.
“The new Ruby on Rails MVC framework will allow for quick and efficient deployment of changes,” says Dave Shettler, Lead Developer of the OSVDB project. “This will provide greater flexibility to adapt to the changes in the vulnerability and security industry.”
Eighteen months ago OSVDB project leaders identified the need to provide more services, an easier interface for updating vulnerabilities and a way to make it simple for individuals and companies to integrate with the project. OSVDB 2.0 achieves these objectives.
OSVDB 2.0 enhancements include: greater detail about the overall nature of a specific vulnerability, a “Watch List” service that provides alerts for new vulnerabilities, consolidating external blogs by vulnerability, and new reporting metrics. The enhanced data will allow users to find vulnerabilities based on criteria such as attack type, solution status or if the vulnerability has been confirmed or disputed by the vendor. “We know that OSVDB 2.0’s new features will prove to be useful for the security community.” says Kelly Todd, one of the project leaders. “OSVDB is a team effort for improved security by the security community.”
Users of the old system will immediately notice that the project has implemented a customizable portal that fully integrates the old backend interface and the front end website. In addition, the method for updating vulnerabilities has been changed to a “Wiki style” system that allows contributors to edit individual fields when needed.
The enhanced classification system is now tracking the following additional fields: •Context Dependent •“Wormified” •Vulnerability Dependent •Security Software •Coordinated Disclosure •Uncoordinated Disclosure •Vendor Disputed •Vendor Verified •Solution Types •Wireless
The OSVDB project leaders–Jake Kouns, Brian Martin, Dave Shettler, Chris Sullo, Kelly Todd , and Steve Tornio– would like to thank all of the volunteers and organizations who help make the project a success. The full list of contributors to the project can be viewed at: http://osvdb.org/contributors
We would also like to thank our sponsors: •Google (google.com), for sponsoring OSVDB in the Google Summer of Code program in 2006 and 2007. •Layered Technologies (layeredtech.com), for web hosting. •GFI (gfi.com), for financial support.
“The OSVDB project will go as far as the community is willing to take it.”, says Jake Kouns, project lead. “We continue to encourage individuals to get involved and help shape the future of the project.”
If you would like to become involved with the project please contact us at firstname.lastname@example.org
OSVDB 2.0 can be found at www.OSVDB.org.
Jake Kouns Open Source Vulnerability Database Project +1.804.306.8412