|Introduction||Licensing||Non-Profit Standing||Ethical Disclosure||Recruitment||Expansion||Advanced Retrieval||Integration||Conclusion|
The Open-Source Vulnerability Database (OSVDB) project maintains a master list of computer security vulnerabilities, freely available for use by security professionals and projects around the world. Vulnerability information is critical for the protection of information systems everywhere: in enterprises and other organizations, on private networks and intranets, and on the public Internet.
The OSVDB project has been successful in fulfilling its original objectives. After a significant period of development - in effect, an "alpha" release - it has been opened to the public (31 March 2004). The project concentrated at first on establishing a core group of project organizers, on creating the technical infrastructure to collect and validate vulnerability data, and on building a team of contributors to create the open-source vulnerability records. These goals have been met, and the OSVDB team is now planning its next stage of growth. The following sections outline the major objectives for the next six to twelve months.
Open-source projects are defined in part through the mechanism of open-source licenses, which allow the free distribution and use of the projects' intellectual property as building blocks for other projects. Making the fruits of one project freely available to others encourages further community participation, continual refinement of each project's contents, and propagation of new ideas and solutions. To obtain these advantages, the OSVDB project needs to develop a comprehensive open-source license covering its processes, its software, and its database of vulnerabilities.
The mechanism of the vulnerability database and its contents, the vulnerabilities themselves, are the product of thousands of hours of work by volunteer members of the OSVDB project. These contributors wish their work to be freely available to other security projects and to security professionals around the world. At the same time, the project wishes to allow commercial projects and organizations to benefit from its efforts, although the licensing terms for these groups may not be the same as for open projects and individual security professionals.
Research and analysis of licensing alternatives for the OSVDB products and services are actively underway at present. The OSVDB project team expects to produce the final project license in the second quarter of 2004. In the meantime, a working-draft license is in force (see the OSVDB website at http://www.osvdb.org/license.php).
|Formal Non-Profit Standing||top|
There are a number of ways to structure an open-source project to give it a formal status in the eyes of the government and of the law. The OSVDB's original organization was informal and provided no legal protection against commercial acquisition and exploitation of the OSVDB vulnerability database. Neither did it supply a basis for tax exemptions to organizations making capital contributions to the project. Finally, without a formal organizational status, it could not seek funding and other partnerships with government, enterprise, and other organizations. As the OSVDB project has become established and has grown, it has become progressively more important to move it onto a suitable legal structure.
The OSVDB team is currently working to provide the required legal status by incorporating an organization under United States law. The organization, tentatively named the Open Security Foundation, will be a private not-for-profit foundation. Its mission is to make information-technology (IT) security information and services freely available to all who need it. The foundation's initially project will be the Open Sourced Vulnerability Database, but it will be capable of hosting additional security projects and will actively seek out suitable ones.
The new legal status will allow the OSVDB to continue its growth within a legal framework that protects the vulnerability database from future commercial exploitation. This protection will reassure current and future participants that their freely-given efforts will not become the property of a for-profit entity, as has sometimes happened with other open security projects. The new foundation will also allow fund-raising from government and corporate sources, to build the OSVDB's technical infrastructure and enhance its services. This major step is expected to be complete by the third quarter of 2004.
|OSVDB Ethical Vulnerability Disclosure||top|
The OSVDB receives vulnerability information from a variety of sources. From time to time, an incoming vulnerability report will be completely new: unknown to the general security community and often unknown to the developer or vendor of the affected product as well. These zero-day vulnerabilities and exploits represent a sensitive subject in security research. The OSVDB needs a policy for handling zero-day vulnerabilities that will meet the often-conflicting needs of the product's developer, its users, the vulnerability's original discoverer, and the community of security practitioners who will be called upon to manage and remedy the vulnerability.
The OSVDB wants to assist vulnerability discoverers to contact the affected product developer or vendor. This can be an onerous task for a private researcher. Some researchers prefer to maintain their anonymity and will not correspond with product developers, while others may not have a clear idea of the steps necessary to contact affected vendors. The new disclosure policy will allow these researchers to release their zero-day vulnerabilities through the agency of the OSVDB, which will contact vendors and arrange the public release of the vulnerability under an appropriate schedule.
Another element of the disclosure policy will be the timing associated with release of zero-day vulnerabilities. This area is the one where conflicting requirements most clearly arise. Product developers require a certain amount of time to find verify the vulnerability, find its cause, and plan repairs. Additional steps that may consume time include testing and distributing the solution.
On the other hand, organizations using the affected product need warning of the vulnerability as soon as possible so they can protect resources that may suffer compromise if the vulnerability is exploited. A patch or upgrade from the vendor is the preferred method for obtaining this protection. But an astute security practitioner can often protect a vulnerable resource through other means, such as an upgraded firewall policy or enhanced intrusion-detection defenses. If a vendor patch is not forthcoming, the product's users need a detailed vulnerability warning to give them an opportunity to prepare these alternative forms of protection.
The OSVDB's policy on the release of zero-day vulnerability information will incorporate clear guidelines on the timing of notification to the product developer, and of notification to the open security community. The OSVDB's approach may not fully satisfy parties defending either of the two extremes in releasing vulnerability data: release immediately upon discovery, or release completely at the discretion of the vendor. It will, however, support an ethical and predictable process for this release. The policy is expected to be published in the second quarter of 2004.
An open-source project flies or falls based on the support of its volunteer participants. The most common reasons for failure of an open-source project are the inability to find and to retain these participants over time. The OSVDB has built a sturdy core group of participants during its pre-public release, and these contributors have built the current system and contributed thousands of vulnerabilities. But the long-term viability of the project depends on continuous success in recruiting new participants, and in recognizing the contributions of those who work within the project. Programs and initiatives to publicize the OSVDB's work and to recruit new participants will be pursued in the second quarter of 2004 and continuously after that.
|Expansion of the Vulnerability Database||top|
There are two main ways in which the database can be expanded: it can capture more data for each vulnerability record, or can increase the number of vulnerabilities stored in the database. For a number of reasons, the type and amount of data stored for each vulnerability will remain stable in the foreseeable future. Instead, the project's major interest in the near term is to increase the number of vulnerabilities stored in the database.
The schema defining the OSVDB's vulnerability data reflects previous formal studies on vulnerability databases, and meets many of the important requirements for that data. A considerable effort is proceeding within the project to make it easy for interacting projects to use the data. A stable schema helps the other projects build the required interfaces to the OSVDB and to incorporate OSVDB data into their own systems and reports. Changes to the current schema will be considered if proposed by the security community, but will incorporated only at an appropriate time in the OSVDB's development.
In its initial development phase, the OSVDB project created an online content-management system to add vulnerability records to the database. The system supports the initial research and creation of records, the review process, and incorporation of the finalized records into the public database. Throughout initial use and testing, the system has been improved continuously to streamline the needed tasks and to make it easier to perform the research and cross-referencing needed to complete a vulnerability record. This focus on ease of use will help contributors work efficiently and will speed the creation of vulnerability records, leading to the desired expansion of the vulnerability database.
|Advanced Vulnerability Retrieval||top|
The vulnerability database is currently available in its entirety from the OSVDB website. This product serves software developers and other subscribers who require all the vulnerabilities, whether to use them in their entirety or to pass them through custom-developed and application-specific filters. For example, the web-server analysis tool Nikto would extract web-related vulnerabilities from the bulk database. In contrast to this bulk-data approach, many users need more selective access to the vulnerability records. A system administrator operating a department of Windows 2000 servers, for example, needs vulnerability data specific to that set of systems. Prospecting through the database as a whole is inefficient in this case.
The OSVDB will develop tools to make it easy to search the vulnerability database on-line so that straightforward queries are easy to make. It will also develop an interface so that repeated queries (e.g., a user's daily check for new vulnerabilities matching a specified set of computing platforms) can be done consistently. Further enhancements to the online query mechanisms will be built as the user community requires them.
For those requiring a higher degree of automation in querying and retrieving vulnerabilities, an XML-formatted database will be developed to mirror the contents of the core vulnerability database. Automated processes can query then the XML database remotely. An administrator's query can extract all vulnerabilities newer than the last request, for example, and can select for vulnerability types or affected platforms as well. This advance reduces the amount of redundant data that needs to be processed by OSVDB consumers and allows other efficiencies for both the consumers and the OSVDB.
Another approach to automating the delivery of vulnerability records will be tested at when the preceding techniques are developed. The OSVDB system will prototype automated posting of vulnerabilities through an RSS-like "push" mechanism. Subscribers will receiver each new vulnerability at the moment it is cleared into the database, and can choose to set customized filters to receive a subset of those records as needed.
The project's overall goal is to make the data available in forms required by the majority of its subscribers, allowing manual data extraction where required while also supporting current and future standards for automatic querying of the database. These new features are intended to be put in place over the second and third quarters of 2004. Each of the planned technical enhancements will make the OSVDB easier and more productive for its subscribers to use. The planned result is a system that efficiently meets the security needs of individuals, organizations, and software projects worldwide.
|Active Integration With Vulnerability Tools||top|
Tracking existing and new vulnerabilities is one of the toughest challenges for developers of security tools. When a vulnerability is found or documented, tool developers assess it to determine whether it will be included in the tool's scan files or other data structures. It may already be part of the tool, or it may fall outside of a tool's scope. OSVDB is working to streamline the process of identifying and setting priorities for the vulnerabilities it provides to tool developers. In brief, the OSVDB will assist vulnerability-tool developers to identify vulnerabilities that are not already represented in their products, and will provide a way to identify the high-priority vulnerabilities for immediate attention.
The OSVDB is relatively new in the arena of open-source projects. It was first conceived in the summer of 2002, and has already put in place much of the organization, technology, and process needed to meet its initial goals. Continuing to build on that foundation, however, will allow the OSVDB to become more useful and more central to the information-technology security community. The upcoming year promises not just incremental improvements to the OSVDB, but also innovations to the existing legal and organizational structure of the project, a focus on recruitment of project participants, and technical advances to make the project even more valuable to the security community.