We are pleased to report that OSVDB has been provided three projects for 2008. We would like to thank everyone that applied and encourage students that were not selected to still consider getting involved with the project. We had quite a few great applications but were unable to accept any more due to our limited mentoring resources this summer and the large number of new organizations taking part in SoC this year.
Here are the projects that were selected:
Patch Management Portal by Ronny Yabar Aizcorbe, mentored by David Shettler The system will provide a way to define when a patch should be in development, testing or production status. And will allow users the ability to select vulnerabilities and patches based on the OSVDB watch list. The main components of the tool will be: Prioritization and scheduling, Testing, Implementation and Compliance.
OSVDB Widgets and Gadgets by Marc Augustin, mentored by Chris Newby This project is intended to utilize the OSVDB as the main data source but should be a security dashboard for professionals via Gadgets and Widgets.
OSVDB Training Portal Framework by Sergios Pericleous, mentored by Jake Kouns This project will create a training framework which will aim to integrate as much as possible with the existing OSVDB portal. The portal will allow specific admin users to create training material and quizzes for end-users, and it will also allow end-users to read this training material and make comments on it, take the quizzes and receive a score, and to track their progress using a progress report and graphs.
Congrats Ronny, Marc and Sergios and we look forward to another successful summer!
Google will continue to accept student applications until Monday, March 31, 2008! Please help spread the word and encourage all eligible students to apply to OSVDB or one of the other security related projects!
OSVDB: The Open Source Vulnerability Database: http://osvdb.org/blog/?p=231
OSSIM: Open Source Security Information Management: http://www.ossim.net/dokuwiki/doku.php?id=ideas
Nmap Security Scanner: http://nmap.org/GoogleGrants.html
The Electronic Frontier Foundation/Tor Project: https://www.torproject.org/volunteer.html.en#Projects
Umit: A Nmap Frontend: http://www.umitproject.org/?active=gsoc&mode=ideas
Freenet Project Inc: http://wiki.freenetproject.org/SummerOfCode2008
Organizations by programming language: http://eflow.org/wiki/index.php?Mentors_by_language
Organizations by category: http://genmapp.org/gsoc/mentors_by_category.htm
OSVDB has been accepted for Google’s Summer of Code for 2008. Please help spread the word and encourage all eligible students to apply for an OSVDB project! Google will begin accepting student applications on Monday, March 24, 2008!
If you have any questions or would like some more details about our project ideas please get in touch with us!
Google Summer of Code 2008 is officially on. Full details at http://code.google.com/soc/2008/
OSVDB has submitted an application and has been accepted. With our Summer of Code project work, we hope to build off the release of OSVDB 2.0 and develop new enhancements to OSVDB’s public services. Here is this years list of ideas/important projects, however we are open to proposals for other projects and ideas.
OSVDB Port Listing Project – Preferred language is Ruby on Rails We are looking to create a project that will be a central repository for all known ports and protocols. This will be the foundation of many new features such as referencing ports/protocols to OSVDB IDs. This will then allow OSVDB vulnerabilities to be better mapped to firewall rules, IDS alerts and potential integrations to other security projects such as NMAP. -This project should detail all well known/default/registered ports -This project must have a automated feature that can import port information from iana.org as a baseline (PORT NUMBERS) -This project must allow users to submit updates/edits wiki style -This project needs to include fields for necessary tracking including: Keywords, Number, Transport (TCP, UDP, ICMP, etc), Application, Links, Description
OSVDB Training Portal Framework – Preferred language is Ruby on Rails This project is to create a flexible framework that can provide training on security issues. OSVDB is looking to not only provide information on vulnerabilities but be a repository for training information that will help educate end users on how to avoid security risks and developers on how to avoid coding insecure applications. -This project must be able to integrate with the existing OSVDB portal -This project must have an interface that allows users to create their own training material -This project must have an interface that allows users to create their own training quizzes -This project must have an interface to provide reports and track the results.
-A user needs to be able to creates a custom quiz or select from a list of OSVDB published quizzes. -A user needs to be able to send a quiz to multiple people by inputting email addresses. -The system will track the quiz and results based on the emails that are sent via the training portal. -This project should allow users to provide comments and coaching information in a wiki style to help educate -The project will ultimately cross reference OSVDB IDs: For example: when a user is viewing a specific vulnerability it will allow them to then take a training course and a quiz to test their knowledge
OSVDB Personal Edition Phase II – Preferred language is Ruby on Rails We released the OSVDB Personal Edition and it is a very small Ruby on Rails application that utilizes the SQLite database export to give you your own, albeit relatively feature-less, local OSVDB instance. This project is intended to take the OSVDB Personal Edition to the next level. -This project will provide improvements and a seamless installation package -This project will include new search features -This project will include new features defined by you!
OSVDB Widgets and Gadgets – Preferred language is open for discussion! OSVDB has a very strong online feature set but a user needs to be logged in to use the services. This project is intended to utilize the OSVDB as the main data source but should be a security dashboard for professionals.
-Gadgets and Widgets should work for OSX and/or Vista -Should provide security news updates from multiple sources -Should provide alerts when new alerts from vendors are released -Should provide alerts for new vulnerabilities added to the OSVDB database -Should provide search capabilities for OSVDB -Must be able to support OSVDB API functionality
OSVDB Statistics Project – Preferred language is Ruby on Rails This project is to create a flexible framework that can provide useful statistics on vulnerabilities from OSVDB. This project should take in consideration all of the fields and classifications in OSVDB. -Should create and generate standard/most popular graphs and charts each day and make available -Should create statistics that allows very flexible/detailed stats to be dynamically generated on demand by user -Some examples of statistics required: -# Vulns based on Disclosure Year -Detailed stats based on each vuln classification options (ALL OPTIONS) -# of vulns by Vendor -# of vulns by Product -# of vulns that do not have a solution (and by vendor) -Time from when a vuln was discovered and then disclosed -Create stats application that allows user to dynamically generate stats based on their own requirements. -Trend the number of vulns released per day
OSVDB Vulnerability Visual Mapping – Preferred language is open for discussion! This project is to create a visual mapping of all vulnerabilities in OSVDB. This will allow users to visually search the database and also to see the relationships between vulnerabilities. Have you ever seen music plasma? This could be pretty challenging but we have been wanting to see this project done for a long time!
Vulnerability and Patch Management Portal – Preferred language is Ruby on Rails This project is to create a flexible framework that can provide organizations the ability to track and manage vulnerabilities and patches. OSVDB is looking to not only provide information on vulnerabilities but be a service that can provide security professionals a way to track and ensure that vulnerabilities have been addressed at their organization. -This project must be able to integrate with the existing OSVDB portal -Should allows users to manage life cycle of vulns and patches -Should allow user the ability selects vulnerabilities or patches based on OSVDB watchlist -Should create a lifecycle that will alert a user when a new vulnerabilities or patch is released and goes into the portal -User then can track their organizations progress including: Research, Test, Implementation, Closure -The project should allows an organization to show compliance with vulnerabilities and patches
Vulnerability Cross References and Scraper – Preferred language is Ruby on Rails and open for discussion! OSVDB is a project that aims to have as many references to vulnerabilities as possible. Unfortunately, in most cases volunteers have to search by hand to find more information to add to an entry. The goal of this project to to create a module that can search multiple security resources and cross references OSVDB entries to other resources. -Cross reference OSVDB IDs and provide references that are missing -Search the following (all external references OSVDB uses) for a string: Bugtraq, Bugtraq Mailing List, CVE, Full-Disclosure Mailing List, ISS X-Force, Nessus, OSVDB, Packetstorm, Secunia, Securiteam, Security Tracker, Snort -Search the resources based on user supplied check boxes for refined/targeted searches -Offer simple search, pull back just a summary of findings -Offer recursive search for some sites. If the entry at another site (for example CVE) is known then it should be an option to pull back all of the other references in that entry as well -Should be a framework that allows new security sites to be added when they become available -Should run once a night and look at all entries (even old ones) to see if there are more references that can be added.
-There should be some kind of approval process or a quick way that we can automatically add the references to the appropriate IDs.
New security project? New security scanner? New OSVDB feature? – Preferred language is open for discussion! -Have an idea for a new security scanning tool? -Have an idea for a new features that is missing from OSVDB? -Have an idea that can use information from our web sacnning database? -Have an idea for a security scanner that searches local server for vulnerable scripts?
I have just recently returned from attending the Google Summer of Code 2007 Mentor Summit. It was a great experience to be able to meet many of the other organizations that participated this year. I want to thank Google for supporting the OSVDB project and being such an incredible host as well as taking such good care of us while we were onsite. I want to also take a moment to personally thank Chris DiBona and Leslie Hawthorn for all of their support and efforts to make this program possible.
This is the second year that OSVDB has participated in GSoC. Each year we continue to learn a lot about the program and our own organization. Much of the success from last year we were able to build upon and we were also able to implement some additional improvements. Once again we learned the importance of spending the appropriate time during the selection process and picking the “right” student is critical. We were able to build upon our development documentation and continued to use our Wiki as the main place for student updates. We also learned that we need to continue to build our development community and instead of request teamwork we need to enforce it. We have found that many students have incredible technical skills but really want to work in a vacuum. This past year was extremely challenging for us as some of our students only wanted to be reviewed based on their code and not their interactions with the project and the other students. It is critical for students to understand that communication and teamwork are key factors to ensure success in an open source project or any organization.
During the Mentor Summit we were able to get a few security projects together to have an Open Source Security Project session (hopefully Fyodor took notes!). We had a great session and had representatives from OSVDB, Nmap, Umit and EFF (Tor). There were some healthy conversations about each of our projects and we spent a fair amount of time sharing successes and issues with GSoC as well as Open Source Security projects in general. I am hopeful that we can get the information between the organizations flowing!
Next year if Google continues with Summer of Code I would encourage more organizations (specifically security projects) to apply to be part of the program. GSoC is a great program that can bring a lot to your project! Don’t be afraid to apply – Google has been extremely supportive of OSVDB and I would expect nothing less for your projects as well!
We are pleased to report that OSVDB has successfully completed three projects from the Google Summer of Code 2007! We are now in the process of taking the next steps to determine how to integrate and rollout the projects into production. Here is just a quick overview of each of the projects:
Researcher Confidence Project – Timothy F. Tutt Jr. Mentor: Brian Martin Description: This project is an enhancement off of a project from last year. We would like to start tracking researchers reliability. In OSVDB we track any person that is credited with disclosing a vulnerability. However, we have noticed that some researchers provide more accurate reports than others. In fact, many reports from researchers are incorrect. We would like a project created that we determine the confidence level of a researched.
Vulnerability Notification Service – Sergios C. Pericleous Mentor: Lyger Description: To ensure timely notification of security vulnerabilities we need to create a very flexible notification service for OSVDB. It should be have the ability to notify based on vendors, products and keywords. The notifications should be via email, possibly chat/pager/SMS/etc.
Report Generator – Willis Vandevanter Mentor: Sullo Description: Create a reporting engine that security consultants and security software can use to generate well formatted reports, suitable for presentation to clients or for integration into software. Output formats include HTML, XML, PDF and plain text, and should optionally allow customization of data fields to be included. Input should be retrieved via formatted URL or web form based on OSVDB-ID (and possibly other identifiers, such as CVE identifiers).
We are very pleased to report that OSVDB was selected for Google’s Summer of Code! This is great news as we hope to get some of the services and projects that have been on the back burner due to lack of development resources finally launched!
You can read about Google’s SoC here: http://code.google.com/soc/
With our Summer of Code project work, we hope to make several exciting enhancements to OSVDB’s public services. We have provided a list of important projects we are currently planning for–however we are open to proposals for other projects and ideas.
You can read about OSVDB’s Project Ideas here: http://www.osvdb.org/summerofcode.php
OSVDB has been working very hard to provide many additional types of a services to the community. Unfortunately, as mentioned due to lack of development resources we have been unable to make much of this happen. We now have an opportunity to possibly deliver on the OVSDB Portal and OSVDB Ethical Disclosure Framework commitments that we made when the project first opened.
You can read the public announcements with our intentions to provide OSVDB portal and disclosure services:
OSVDB Objectives: http://www.osvdb.org/OSVDB-Objectives.php
Vendor Dictionary Announcement: http://www.osvdb.org/news.php#vendorDictSiteUpgrade
Personally, I am absolutely thrilled that we may have the resources to develop the OSVDB Ethical Disclosure Framework. This has been one of the projects that I have been wanting for years and is validated as we see more and more issues with the disclosure process! I have believed all along that OSVDB can be the service that helps to improve, streamline and more importantly removes the mystery of the breakdowns in the process.
OSVDB has been handling one-off disclosures for researchers over the past 3-4 years and it is not an easy task. The amount of time it takes to handle a disclosure process is huge. We realized early on that a lot of the process needed to be automated in order to be successful and repeatable. Hopefully, there are some students out there that want to be apart of creating this service and we can get it launched by the end of the year!
We plan to post updates to the OSVDB blog as we get further in the process. If you have other ideas for projects that we should post please feel free to contact us at firstname.lastname@example.org