Monthly Archives: June, 2008

OSVDB Featured in the Open Source Business Resource (OSBR)

OSVDB is featured in the June issue of the Open Source Business Resource (OSBR) and is now available at the OSBR website. We were contacted and asked if we would like to include our original OSVDB Aims white paper in the issue. This was really the prompting that we needed to take the time to update the project’s successes since the launch and provide some additional information about the future of OSVDB.

We would like to thank Dru Lavigne and OSBR for their support and encourage you to take a look at the issue. The OSVDB article can be found at:

OSBR’s editorial theme for June is “Security” and here is a listing from the table of contents:

Jake Kouns, president of the Open Security Foundation, introduces the Open Source Vulnerability Database Project. David Maxwell, Open Source Strategist at Coverity, discusses the findings from Coverity’s analysis of over 55 million lines of open source code. Robert Charpentier from Defence Research Establishment Valcartier and Mourad Debbabi, Azzam Mourad and Marc-André Laverdière from Concordia University present a summary of their research into providing security hardening for the C programming language. Frederic Michaud and Frederic Painchaud from Defence Research and Development Canada describe their evaluation of automated tools that search for security bugs. Key messages from Carleton University’s Stoyan Tanev’s recent presentation on technology marketing trends and the Eclipse Foundation’s Ian Skerrett’s presentation on building successful communities. Michael Geist, Canada’s Research Chair of Internet and E-commerce Law, explains why the proposed Bill C-61 does not address the rights of Canadians. Alan Morewood from Bell Canada provides an example of open source meeting a business need.

Next months editorial theme is “Accessibility” – contact the OSBR Editor if you are interested in a submission.

Coffee makers are SCADA, right?!

Steven Christey of CVE posted asking a question about VDBs and the inclusion of coffee makers. Yes, you read that correctly, vulnerabilities are being found in coffee makers that are network accessible. Don’t be surprised, we all knew the day was coming when every household appliance would become IP aware.

Before you laugh and spew your own coffee all over the keyboard, consider that the vulnerabilities are legitimate in the sense that a remote attacker can manipulate how the device performs and possibly do physical damage to the unit. This is really no different than SCADA devices such as air conditioners that are IP aware.

Some replies (like mine) were a bit more serious suggesting this type of vulnerability is definitely worth inclusion in OSVDB. If we can’t draw the line between coffee makers, air conditioners and other SCADA devices today, we will be able to in a year or years from now? At some point, the blur between computing device and household appliance will be too hard to distinguish. Rather than waste too much time arguing that line, why not track these few vulnerabilities now that might be a bit primitive, but will surely show historic value if nothing else.

Other replies were a bit less serious but fun, suggesting that making weak (or no) coffee would lead to disgruntled code writers that produce poor code filled with more vulnerabilities. Either way, count on us to include vulnerabilities in your favorite IP aware devices, kitchen, computing or otherwise, to this database.