Google Summer of Code 2008 is officially on. Full details at http://code.google.com/soc/2008/
OSVDB has submitted an application and has been accepted. With our Summer of Code project work, we hope to build off the release of OSVDB 2.0 and develop new enhancements to OSVDB’s public services. Here is this years list of ideas/important projects, however we are open to proposals for other projects and ideas.
OSVDB Port Listing Project – Preferred language is Ruby on Rails We are looking to create a project that will be a central repository for all known ports and protocols. This will be the foundation of many new features such as referencing ports/protocols to OSVDB IDs. This will then allow OSVDB vulnerabilities to be better mapped to firewall rules, IDS alerts and potential integrations to other security projects such as NMAP. -This project should detail all well known/default/registered ports -This project must have a automated feature that can import port information from iana.org as a baseline (PORT NUMBERS) -This project must allow users to submit updates/edits wiki style -This project needs to include fields for necessary tracking including: Keywords, Number, Transport (TCP, UDP, ICMP, etc), Application, Links, Description
OSVDB Training Portal Framework – Preferred language is Ruby on Rails This project is to create a flexible framework that can provide training on security issues. OSVDB is looking to not only provide information on vulnerabilities but be a repository for training information that will help educate end users on how to avoid security risks and developers on how to avoid coding insecure applications. -This project must be able to integrate with the existing OSVDB portal -This project must have an interface that allows users to create their own training material -This project must have an interface that allows users to create their own training quizzes -This project must have an interface to provide reports and track the results.
-A user needs to be able to creates a custom quiz or select from a list of OSVDB published quizzes. -A user needs to be able to send a quiz to multiple people by inputting email addresses. -The system will track the quiz and results based on the emails that are sent via the training portal. -This project should allow users to provide comments and coaching information in a wiki style to help educate -The project will ultimately cross reference OSVDB IDs: For example: when a user is viewing a specific vulnerability it will allow them to then take a training course and a quiz to test their knowledge
OSVDB Personal Edition Phase II – Preferred language is Ruby on Rails We released the OSVDB Personal Edition and it is a very small Ruby on Rails application that utilizes the SQLite database export to give you your own, albeit relatively feature-less, local OSVDB instance. This project is intended to take the OSVDB Personal Edition to the next level. -This project will provide improvements and a seamless installation package -This project will include new search features -This project will include new features defined by you!
OSVDB Widgets and Gadgets – Preferred language is open for discussion! OSVDB has a very strong online feature set but a user needs to be logged in to use the services. This project is intended to utilize the OSVDB as the main data source but should be a security dashboard for professionals.
-Gadgets and Widgets should work for OSX and/or Vista -Should provide security news updates from multiple sources -Should provide alerts when new alerts from vendors are released -Should provide alerts for new vulnerabilities added to the OSVDB database -Should provide search capabilities for OSVDB -Must be able to support OSVDB API functionality
OSVDB Statistics Project – Preferred language is Ruby on Rails This project is to create a flexible framework that can provide useful statistics on vulnerabilities from OSVDB. This project should take in consideration all of the fields and classifications in OSVDB. -Should create and generate standard/most popular graphs and charts each day and make available -Should create statistics that allows very flexible/detailed stats to be dynamically generated on demand by user -Some examples of statistics required: -# Vulns based on Disclosure Year -Detailed stats based on each vuln classification options (ALL OPTIONS) -# of vulns by Vendor -# of vulns by Product -# of vulns that do not have a solution (and by vendor) -Time from when a vuln was discovered and then disclosed -Create stats application that allows user to dynamically generate stats based on their own requirements. -Trend the number of vulns released per day
OSVDB Vulnerability Visual Mapping – Preferred language is open for discussion! This project is to create a visual mapping of all vulnerabilities in OSVDB. This will allow users to visually search the database and also to see the relationships between vulnerabilities. Have you ever seen music plasma? This could be pretty challenging but we have been wanting to see this project done for a long time!
Vulnerability and Patch Management Portal – Preferred language is Ruby on Rails This project is to create a flexible framework that can provide organizations the ability to track and manage vulnerabilities and patches. OSVDB is looking to not only provide information on vulnerabilities but be a service that can provide security professionals a way to track and ensure that vulnerabilities have been addressed at their organization. -This project must be able to integrate with the existing OSVDB portal -Should allows users to manage life cycle of vulns and patches -Should allow user the ability selects vulnerabilities or patches based on OSVDB watchlist -Should create a lifecycle that will alert a user when a new vulnerabilities or patch is released and goes into the portal -User then can track their organizations progress including: Research, Test, Implementation, Closure -The project should allows an organization to show compliance with vulnerabilities and patches
Vulnerability Cross References and Scraper – Preferred language is Ruby on Rails and open for discussion! OSVDB is a project that aims to have as many references to vulnerabilities as possible. Unfortunately, in most cases volunteers have to search by hand to find more information to add to an entry. The goal of this project to to create a module that can search multiple security resources and cross references OSVDB entries to other resources. -Cross reference OSVDB IDs and provide references that are missing -Search the following (all external references OSVDB uses) for a string: Bugtraq, Bugtraq Mailing List, CVE, Full-Disclosure Mailing List, ISS X-Force, Nessus, OSVDB, Packetstorm, Secunia, Securiteam, Security Tracker, Snort -Search the resources based on user supplied check boxes for refined/targeted searches -Offer simple search, pull back just a summary of findings -Offer recursive search for some sites. If the entry at another site (for example CVE) is known then it should be an option to pull back all of the other references in that entry as well -Should be a framework that allows new security sites to be added when they become available -Should run once a night and look at all entries (even old ones) to see if there are more references that can be added.
-There should be some kind of approval process or a quick way that we can automatically add the references to the appropriate IDs.
New security project? New security scanner? New OSVDB feature? – Preferred language is open for discussion! -Have an idea for a new security scanning tool? -Have an idea for a new features that is missing from OSVDB? -Have an idea that can use information from our web sacnning database? -Have an idea for a security scanner that searches local server for vulnerable scripts?