Posted by d2d
Mon, 28 Jan 2008 06:04:17 GMT
We are pleased to announce the OSVDB API beta.
Integration and cross-referencing with OSVDB just got a lot easier via the new application programming interface (API), which can provide multiple result formats to fit various needs. Queries can be run against any number of correlation factors, including CVE ID, Microsoft Bulletin ID, Bugtraq ID, and a host of other common reference points. The API is also under constant development, particularly during beta, and suggestions for improvements are quickly and easily implemented by the OSVDB development team.
Some technical details about the API include:
- It is a RESTful interface to the OSVDB database
- It returns your choice of XML or CSV
- Allows OSVDB ID correlation to a growing list of other references and integrators products
- And importantly, it is free – though donations are appreciated.
To begin using the API, first, login or create an account, then visit the API overview for general information, or skip right to the API Documentation to get started. During beta and perhaps beyond, accounts are limited to 100 queries per day. To request a greater allotment of daily queries, fill out the Integration request form.
In other news, we have done some significant mapping work over the last month. We have broken out certain references into a new category called "Tools & Filters". A good example of how this section works is OSVDB ID 40229. We then worked to map:
- Over 9,500 OSVDB ID’s to Nessus nasls
- Over 1,000 OSVDB ID’s to Snort filter ID’s
- Over 400 OSVDB ID’s to Nikto scans
We are also in the process of working with other vendors and products to map out more tools. If you have an open source or commercial security product, and you reference vulnerabilities, contact moderators for information on how we can include your filters/rules in our vulnerability listings.
Posted in OSVDB News | no comments
Posted by jkouns
Mon, 17 Dec 2007 07:02:08 GMT
OPEN SOURCE VULNERABILITY DATABASE (OSVDB) 2.0
RICHMOND, VA, December 15, 2007 – OSVDB announced a major milestone in the cataloging, classification, description and management of software and hardware security vulnerabilities: The release of OSVDB 2.0, a complete rewrite of the web site using Ruby on Rails, provides substantial performance and reliability improvements for both developers and researchers. “OSVDB 2.0 will help evolve stagnant Vulnerability Databases and position OSVDB as the go-to security vulnerability database,” says Brian Martin, one of the project leaders.
OSVDB, a recognized leader in providing services to the security industry for the past five years, has cataloged nearly 40,000 vulnerabilities, with the help of over 300 volunteers, while gaining industry recognition and vendor support.
“The new Ruby on Rails MVC framework will allow for quick and efficient deployment of changes,” says Dave Shettler, Lead Developer of the OSVDB project. “This will provide greater flexibility to adapt to the changes in the vulnerability and security industry.”
Eighteen months ago OSVDB project leaders identified the need to provide more services, an easier interface for updating vulnerabilities and a way to make it simple for individuals and companies to integrate with the project. OSVDB 2.0 achieves these objectives.
OSVDB 2.0 enhancements include: greater detail about the overall nature of a specific vulnerability, a “Watch List” service that provides alerts for new vulnerabilities, consolidating external blogs by vulnerability, and new reporting metrics. The enhanced data will allow users to find vulnerabilities based on criteria such as attack type, solution status or if the vulnerability has been confirmed or disputed by the vendor. “We know that OSVDB 2.0’s new features will prove to be useful for the security community.” says Kelly Todd, one of the project leaders. “OSVDB is a team effort for improved security by the security community.”
Users of the old system will immediately notice that the project has implemented a customizable portal that fully integrates the old backend interface and the front end website. In addition, the method for updating vulnerabilities has been changed to a “Wiki style” system that allows contributors to edit individual fields when needed.
The enhanced classification system is now tracking the following additional fields:
•Context Dependent
•“Wormified”
•Vulnerability Dependent
•Security Software
•Coordinated Disclosure
•Uncoordinated Disclosure
•Vendor Disputed
•Vendor Verified
•Solution Types
•Wireless
The OSVDB project leaders–Jake Kouns, Brian Martin, Dave Shettler, Chris Sullo, Kelly Todd , and Steve Tornio– would like to thank all of the volunteers and organizations who help make the project a success. The full list of contributors to the project can be viewed at: http://osvdb.org/contributors
We would also like to thank our sponsors:
•Google (google.com), for sponsoring OSVDB in the Google Summer of Code program in 2006 and 2007.
•Layered Technologies (layeredtech.com), for web hosting.
•GFI (gfi.com), for financial support.
“The OSVDB project will go as far as the community is willing to take it.”, says Jake Kouns, project lead. “We continue to encourage individuals to get involved and help shape the future of the project.”
If you would like to become involved with the project please contact us at moderators@osvdb.org
OSVDB 2.0 can be found at www.OSVDB.org.
Press Contact:
Jake Kouns
Open Source Vulnerability Database Project
+1.804.306.8412
Email: jkouns@opensecurityfoundation.org
Posted in OSVDB News | no comments
Posted by jkouns
Sat, 15 Dec 2007 07:16:18 GMT
We are pleased to announce that OSVDB 2.0 has officially gone live!
What’s new in OSVDB 2.0?
• Completely rewritten from scratch in ruby on rails
• Improved performance and reliability
• Custom OSVDB Portal implemented
• Integration between old backend mangler interface and frontend
• Wiki style updates with moderation capabilities
• Updates available per field in vulnerability / full update not required
• Enhanced classification system, OSVDB is now tracking additional fields:
o Context Dependent
o Wormified
o Vuln Dependent
o Security Software
o Coordinated Disclosure
o Uncoordinated Disclosure
o Vendor Disputed
o Vendor Verified
o Solution Types
o Wireless
• Project is now positioned to provide robust metrics and reporting
• Capable of integration with addition security products
• Comment system updated and available for user to provide feedback on vulns
• Each vulnerability now displays relevant blogs for additional reading
• Watchlist service for new vulnerabilities now available
• Enhanced vendor dictionary with new search function
• Old exports will be available for the next few months
• Integration with Google checkout for donations and subscriptions
• Much more…..
It is with great pleasure that I also introduce Dave Shettler and announce that he has accepted the position of Development Lead for the project! Dave has brought stability to our development team and has really helped to reinvent the project. Without his efforts none of this would have been possible.
There are so many people and organizations that have made OSVDB successful and we appreciate the continued support. Special thanks to all that contributed time and energy into OSVDB 2.0 and we look forward to many exciting things to come!
All accounts have been converted from the old system, but you will need to request a new password. If you have any feedback or would like to become involved with the project please contact us at moderators@osvdb.org
Posted in OSVDB News | no comments
Posted by jkouns
Sun, 11 Nov 2007 05:47:45 GMT
OSVDB is ready to create a buzz. However, instead of releasing our massive marketing department on the public, we decided to slowly start an OSVDB viral advertising project, consisting of some buzz/stealth marketing and even a little roach baiting…
Just kidding. However, we do have some exciting news to share with you. The project has been very successful over the past couple years, but it has become obvious OSVDB has some scalability issues. The current website and vulnerability management system required a massive overhaul. After some extremely hard work (many thanks d2d!) we are finally ready to launch OSVDB 2.0.
While we are still working through the final details to ensure a smooth transition and to minimize impact as we move to the OSVDB 2.0 system, here are some things to look forward to:
Faster interface for mangling and updating vulnerabilities
Fully integrated portal that allows wiki style updates & editing for each field
Watch list functionality for custom alerting
Improved vendor dictionary, including new search functionality
Some things to consider if you are currently integrating with OSVDB:
The current XML dump will be available for several months
You will need to create an OSVDB account to download the database
The new database exports will include all vulnerabilities, not just “stable”
XML schema changes are on the horizon (more info to come)
If you have any questions or concerns please contact moderators@osvdb.org
Posted in OSVDB News | no comments
Posted by jkouns
Mon, 22 Oct 2007 18:15:32 GMT
I have just recently returned from attending the Google Summer of Code 2007 Mentor Summit. It was a great experience to be able to meet many of the other organizations that participated this year. I want to thank Google for supporting the OSVDB project and being such an incredible host as well as taking such good care of us while we were onsite. I want to also take a moment to personally thank Chris DiBona and Leslie Hawthorn for all of their support and efforts to make this program possible.
This is the second year that OSVDB has participated in GSoC. Each year we continue to learn a lot about the program and our own organization. Much of the success from last year we were able to build upon and we were also able to implement some additional improvements. Once again we learned the importance of spending the appropriate time during the selection process and picking the right student is critical. We were able to build upon our development documentation and continued to use our Wiki as the main place for student updates. We also learned that we need to continue to build our development community and instead of request teamwork we need to enforce it. We have found that many students have incredible technical skills but really want to work in a vacuum. This past year was extremely challenging for us as some of our students only wanted to be reviewed based on their code and not their interactions with the project and the other students. It is critical for students to understand that communication and teamwork are key factors to ensure success in an open source project or any organization.
During the Mentor Summit we were able to get a few security projects together to have an Open Source Security Project session (hopefully Fyodor took notes!). We had a great session and had representatives from OSVDB, Nmap, Umit and EFF (Tor). There were some healthy conversations about each of our projects and we spent a fair amount of time sharing successes and issues with GSoC as well as Open Source Security projects in general. I am hopeful that we can get the information between the organizations flowing!
Next year if Google continues with Summer of Code I would encourage more organizations (specifically security projects) to apply to be part of the program. GSoC is a great program that can bring a lot to your project! Dont be afraid to apply Google has been extremely supportive of OSVDB and I would expect nothing less for your projects as well!
We are pleased to report that OSVDB has successfully completed three projects from the Google Summer of Code 2007! We are now in the process of taking the next steps to determine how to integrate and rollout the projects into production. Here is just a quick overview of each of the projects:
Researcher Confidence Project – Timothy F. Tutt Jr.
Mentor: Brian Martin
Description: This project is an enhancement off of a project from last year. We would like to start tracking researchers reliability. In OSVDB we track any person that is credited with disclosing a vulnerability. However, we have noticed that some researchers provide more accurate reports than others. In fact, many reports from researchers are incorrect. We would like a project created that we determine the confidence level of a researched.
Vulnerability Notification Service – Sergios C. Pericleous
Mentor: Lyger
Description: To ensure timely notification of security vulnerabilities we need to create a very flexible notification service for OSVDB. It should be have the ability to notify based on vendors, products and keywords. The notifications should be via email, possibly chat/pager/SMS/etc.
Report Generator – Willis Vandevanter
Mentor: Sullo
Description: Create a reporting engine that security consultants and security software can use to generate well formatted reports, suitable for presentation to clients or for integration into software. Output formats include HTML, XML, PDF and plain text, and should optionally allow customization of data fields to be included. Input should be retrieved via formatted URL or web form based on OSVDB-ID (and possibly other identifiers, such as CVE identifiers).
Posted in OSVDB News | no comments
Posted by jericho
Mon, 16 Jul 2007 21:06:52 GMT
Ran across a post on Dancho Danchev’s blog about information visualization. I’ve seen these types of graphical renderings/representations of everything from “the internet” to web sites. In the past they have been part of presentations or been created with tools that weren’t public. Now, Texone is offering an online applet that will render an image based on your site. Putting in “osvdb.org/blog” and letting it go for a while created this pretty picture. To be fair, it crawled well past OSVDB. I don’t think we’re pretty by ourselves.
Posted in OSVDB News | no comments
Posted by jericho
Thu, 24 May 2007 02:56:06 GMT
I had the need to search for Apache vulnerabilities today for the pesky day job. One word, one search and four hours later I realized just how bad our Apache entries were. Enter headache #1. Unfortunately, the rest of the VDBs were no better. What did I want a concise list of?
- Apache web server vulnerabilities
- Apache Tomcat vulnerabilities
Seems straight forward, and the second search is relatively easy to get at any VDB as “Apache Tomcat” is a consistently used name for the product and distinct enough not to catch other products. So why isn’t the first? Many moons ago, Apache was just “Apache” and everyone knew it was the web server. Eventually Apache branched out and currently maintain an incredible amount of projects. The old “Apache” we all know is really “Apache HTTP Server” which VDBs don’t consistently use, especially the older ones. This is understandable because when CVE added an Apache vulnerability in 1999, that was all there was. These days, just using “Apache” to describe any of their projects is overly vague and irresponsible. Thus, four hours later i’d like to think that OSVDB’s entries are a lot better off for many reasons, that being the first and most simple.
Searching OSVDB by title for “Apache HTTP Server” will now list all vulnerabilities related to the classic web server. One thing you will notice is the different in naming convention for modules. Enter headache #2! Apache modules are not created equal. According to the Apache documentation, module status is labeled according to one of four values:
- Base - modules that are compiled and loaded into the server by default
- Extension - modules that are not normally compiled by default, but must be selected during compilation/installation
- Experimental - modules that are available as part of the apache kit; not necessarily supported
- External - modules that are not included with the base Apache distribution; not supported by Apache
Modules like modinclude and modimap are ‘base’ modules and are part of the Apache web server for most installations. Vulnerabilities in these modules will impact most Apache users. Modules like mod_rewrite are extension modules and must be specifically selected during the configure/make process.
Modules like modperl are .. what? Hello Headache #3. If you check the modperl homepage, you don’t see the easy to spot designation if it is ‘base’ vs ‘extension’, even though it is part of the Apache project. This is more understandable with modssl since it’s an extension and maintained on a non-Apache web page. Apache module authors: please make this clear! Before you fire up your e-mail client to send me obnoxious mails, consider that these are “some” of the supported modules Apache offers, and there are 443 more modules that aren’t supported but definitely useful to many folks. What about moddigest_apple and others? Not fun for those who are tasked with tracking vulnerabilities.
As a result of all this, OSVDB is now using consistent titles to help distinguish all of the above. Here are a few guidelines to help better understand it, and we hope that other VDBs will follow suit to assist their users.
- “Apache HTTP Server” is used for the Apache web server (httpd).
- If the module is ‘base’, ‘extension’ or ‘experimental’, meaning it is part of the Apache distribution, we use “Apache HTTP Server mod_whatever”
- If the module is ‘external’, meaning it is not part of the Apache distribution, we use “mod_whatever for Apache HTTP Server”.
This will help our users more easily distinguish if the vulnerability affects them, assist in searches with more concise results and generally make me feel better about the VDB world.
Posted in General Vulnerability Info, OSVDB News | no comments
Posted by jericho
Sun, 20 May 2007 21:10:13 GMT
Several of us working on VDBs have debated over the years how best to handle vulnerabilities that aren’t necessarily remote or local. Issues like image or archive handling vulnerabilities, where the program processing a malformed file is prone to an overflow, traversal or denial of service. While one may argue they are ‘remote’ in the sense that if I e-mail you the file, the attack is definitely remote in a sense. But, if the malformed file is loaded via a floppy disk, the attack certainly isn’t ‘local’ or ‘requires physical’ access necessarily. So we need something that covers the grey area between vectors. A while back Steven Christey at CVE began using “context-dependent attacker” to describe such vulnerabilities. OSVDB tried to come up with another term for this but after some time, we couldn’t. So, from here on out, you will start noticing the use of “context-dependent attacker” in our vulnerability descriptions more frequently, and eventually when the classification scheme is overhauled it will appear there too.
Posted in OSVDB News | 2 comments
Posted by jericho
Fri, 23 Mar 2007 04:55:29 GMT
For the second year now, OSVDB has been selected to participate in the Google Summer of Code program. It’s pretty neat to be in this program along with other relatively unheard of projects like Debian, FreeBSD, GNU, KDE, NetBSD, OpenSolaris, PHP, PostgreSQL, Python, Samba, Apache, EFF, Fedora and X.org. =)
As always, Google continues to give back to the community in ways most companies will never understand or appreciate.
Posted in OSVDB News | no comments
Posted by jericho
Sat, 02 Sep 2006 07:52:24 GMT
I’ve been with the OSVDB project for 1000 days. I am responsible for creating 20,667 entries, moderating 7,791 mangler submissions, and mangling 3,480 vulnerabilities myself. The database contains vulnerabilities dating back to 1965, spanning over 40 years. The database contains over 3,800 cross-site scripting, 2,500 SQL injection and 990 remote file inclusion vulnerabilities. Microsoft enjoys around 1,450 entries while Oracle only has 596, with another 75 or so coming when I catch up with my backlog. Since the addition of a Bugzilla system we have filed 807 bugs, 176 of which are still open. Since opening our doors 337 accounts have been created to work on the project, but 293 are now considered M.I.A., 1 is disabled and 20 are considered ‘abducted by aliens’ (meaning they never logged in once). As of this post, there are 28,319 entries in the database; 13646 Stable, 13928 New, 65 being Mangled, 5 Pending moderator review, and 6 Locked. I can’t even begin to count the e-mail we’ve sent and received related to the project and we’ve written 136 entries on this blog.
Posted in OSVDB News | no comments
