OSVDB: Project Aims

Introduction Vulnerability Databases The Project Project Goals Future Plans Policy People Products Conclusion References

  Introduction top

The Open-Source Vulnerability Database (OSVDB) project manages a master collection of computer security vulnerabilities, available for free use by the world's information-security community. This collection contains information on known security weaknesses in operating systems, software products, protocols, hardware devices, and other elements of the world's information-technology infrastructure. The OSVDB project is intended to be the central open-source vulnerability collection on the Internet.

A vulnerability database serves many communities: businesses need to know whether elements of their current or planned computing environment are susceptible to security failures, system administrators want alerts to relevant security malfunctions and their cures, software developers need warning when their products have shown security flaws, and security practitioners depend on a comprehensive and standardized vulnerability list to build products and services.[1]It has been difficult to develop a comprehensive, unbiased, and timely resource that gives these groups (and many others) what they need.

CERT Vulnerabilities reported - 1995 to 2003 (1995 - 171; 1996 - 345; 1997 - 311; 1998 - 262; 1999 - 417; 2000 - 1090; 2001 - 2437; 2002 - 4129; 2003 - 3784)

(See reference[2] below.)

One reason for the difficulty is that documenting and disseminating vulnerabilities has become an enormous task. CERT identified just under 200 vulnerabilities in 1995, but reported 3,784 in 2003: an increase of over 2,000 percent in seven years. CERT's counts are considered conservative and the actual number of vulnerabilities facing administrators, developers, and organizations may actually be higher.

The effort required to track vulnerabilities exceeds the resources of most organizations, and the volume of information appearing each year is unlikely to decrease. To meet the growing need for vulnerability management, the OSVDB plans to harness the efforts of the world's security practitioners and the power of the open-source development model to locate, verify, and document this critical information.

Like the Linux and Apache projects, the OSVDB aims to be the leading open-source project in its field. By maintaining a close connection with the security community, by remaining unaffiliated with commercial interests and open to community content development, and by actively promoting excellence in its operation, the OSVDB will provide a stable, world-class resource for all security projects and practitioners.

  Vulnerability Databases top

A vulnerability is an error or weakness in a component that allows it to be attacked, resulting in unauthorized use of the item or in damage to it and components connected to it. In an information-technology network like the Internet, successful exploitation of vulnerabilities can result in operating-system damage, illegal release of information, data destruction, disruption of service, and a galaxy of other tribulations.

Although we often discuss vulnerabilities in general terms like "open to man-in-the-middle attack" or "allows remote buffer overflow", attackers and defenders know that the essence of a security vulnerability is never the general description, but rather the vulnerability's specific details. There are very few generic attacks that will work against multiple targets. Similarly, there are few general vulnerabilities that simultaneously affect different network components. Instead, the classic vulnerability affects a single feature of one release of a software product installed under a single operating system, a feature that can be exploited in only one way.

Out of the trillions of lines of code running in networked systems, this dangerous vulnerability may exist in a single line. It is a unique grain of sand in a mile-long beach. How do those with systems containing that unique flawed line know they are potential victims? And how do they identify a solution? As the number of network components grows every year, the number of vulnerabilities grows also.

Annual vulnerability announcements number in the thousands, well beyond the capacity for human memory to manage. Well-organized databases, with verified contents and flexible search abilities, are required if these vulnerabilities are to be controlled by the security community. The OSVDB provides the necessary structure, technology, and content to support that community requirement for vulnerability management.

  The Open-Source Vulnerability Database Project top

The OSVDB project was launched in 2002 following a realization in the security community that no independent, community-operated vulnerability database existed. There were, and still are, numerous vulnerability databases. Some of these databases are managed by private interests to meet their own requirements, while others contain a limited subset of vulnerabilities or have significant restrictions on their content. None are simultaneously comprehensive, open for free use, and answerable to the community. The OSVDB's organizers have set out to implement a vulnerability database that meets all those requirements.

The OSVDB vulnerability-processing steps: 1 - moderators discover potential vulnerabilities; 2 - moderators give potential vulnerabilities to 'manglers' for research and write-up; 3 - manglers return completed vulnerability records to moderators for review; 4 - moderators post completed records to the OSVDB vulnerability database; 5 - members of the securioty community extract individual or bulk records from the OSVDB vulnerability database

The OSVDB is currently an active web application, available at www.OSVDB.org. It has two major parts: a "front end" allows vulnerabilities to be searched for and reported on, and a "back end" allows contributors to add or edit vulnerabilities.

The OSVDB moderators identify new vulnerabilities and assign them to individual contributors or "manglers". Manglers scour the Web for information describing a vulnerability, then capture the details in a database record within the OSVDB itself. A moderator checks each vulnerability entry before it is committed, to ensure that the OSVDB's standards for clarity and correctness are met. Once the record has been accepted, it is available to anyone requiring vulnerability information from the database. [3]

The process is rapid, making new vulnerabilities available to the community quickly. It is also efficient, maximizing productivity for the manglers and moderators so that the team can keep above the rising tide of vulnerability data. The on-line process and the automation that supports it have been improved continuously since the project opened on the web, and the OSVDB team will continue to add value to the basic database and associated services over time.

  Project Goals top

There is room in the security world for several strategies for managing security vulnerabilities. Each approach has its own advantages. The OSVDB is unique in being completely community-based, but it has other strengths as well.

Many security endeavors benefit from a single source listing all vulnerabilities, in contrast to a "federated" approach where multiple vulnerability lists have to be queried and the results combined to get a comprehensive result. Developers creating vulnerability-assessment tools, system administrators protecting servers and networks, business staff assessing risks and remedies, academic researchers documenting analyzing the past and future of network security: all expend effort to identify vulnerabilities, all work to document them consistently, all can benefit from a single, comprehensive source of vulnerability data. The OSVDB is this source, reducing duplication of effort while it promotes data consistency.

Serious users of any database evaluate its sources and practices before placing trust in its contents. The OSVDB is unbiased and neutral in its practices for accepting, reviewing, and publishing vulnerabilities. Its open acceptance of community input and internal review processes ensure that the vulnerability database is not colored by vendor-related biases. The OSVDB team works hard to ensure that content evenly reflects the actual distribution of vulnerabilities, neither over-exposing nor under-exposing particular operating systems, products, or vendors.

OSVDB provides benefits (an open model for operations and content, transparent operations and contents, an organization unaffiliated with commercial interests, comprehensive vulnerability records, a community-run operation, growing data and services, and free access to that data and those services) to the security community (security consultants, business staff, system administrators, security-tool developers, security researchers, end users, application and product developers)

Some have raised concerns such a comprehensive security database may present potential dangers of its own. This is security's classic "disclosure" problem. Can a vulnerability database help an attacker? It may do so, but it provides a far more significant benefit for defenders. Without much of a stretch, Google can be considered the largest and most detailed vulnerability database in the universe. It operates whether or not other vulnerability lists exist, and provides the ultimate resource for the dedicated attacker. In contrast to Google, the OSVDB organizes and validates vulnerability data so that security professionals can easily use it.

Given the breadth of information-security problems affecting businesses and individuals, it is easy to understand that subscribers to security information span a wide range of technical background and skills. At times, some software vendors have been criticized for releasing vulnerability information that lacks the details system administrators need. Others have drawn fire for complex vulnerability reports that confuse home users and non-technical staff. The OSVDB includes both business-level descriptions and technical details for the vulnerabilities in the database. Creating and supplying the proper type of information for the intended audience allows the OSVDB to serve all consumers of vulnerability information.

Many security operations, whether stand-alone organizations or security departments within corporations, operate under tight funding, and need to rely on the free efforts of others to be successful. The OSVDB's features and services benefit all security practitioners because they are universally available, without distribution controls and without fees or charges. Like the results of the Apache project, the OSVDB deliverables can be freely used, whether as stand-alone components or integrated into other tools. For example, an open-source web vulnerability scanner like Nikto can use OSVDB data to populate reports from a vulnerability scan. Nikto's development team conserves effort in finding and documenting vulnerabilities, and the security community benefits from Nikto's comprehensive and consistent reporting capabilities.

OSVDB organizers believe that more than one vulnerability database is needed to meet the full variety of community requirements. A major summit meeting in the research community, the 2nd Workshop on Research with Security Vulnerability Databases, stated that "no single proposition satisfies all parties involved"[4] and that the parallel pursuit of different strategies would have the best opportunity for success. The OSVDB intends to fulfill the recognized community requirements for an open, centralized resource. While it references the other vulnerability databases, it develops its own database entries to ensure that there are no restrictions on distribution and re-use of the OSVDB vulnerability data: its contents are free of cost and free of restrictions on use.

  Future Plans top

The OSVDB team has identified several areas of future growth in the OSVDB operations and outcomes. Some of the key items to be addressed in its future releases include the following:

  Policy top
Research and decisions on licensing for the OSVDB products and services.

  • Pursuit of formal non-profit standing to protect the OSVDB from commercial acquisition and to formalize the tax status of contributors.

  • A formal statement of policy for handling previously-unknown (i.e., "0-day") security vulnerabilities and exploits, covering communications with affected vendors as well as with the security community.

      People top
    Recruitment of more security professionals to maintain and extend the vulnerability database.

  • Formal recognition of contributors, for example, identifying leading contributors for the benefits of recognition and to support organizations underwriting their time and effort.

      Products top

  • Continuous growth in the vulnerability database contents and features.

  • Increasingly powerful interactive query abilities to make the database more useful to its on-line consumers.

  • Support for flexible, research-oriented data mining[5] of the vulnerability information.

  • A formal XML schema for the vulnerability data and an XML-formatted database for mass download of the database to developers and other users.

  • An XML-based remote interface for JIT (just-in-time) vulnerability queries and extraction, giving developers an API (application program interface) to use in their own products.

  • A "live" RSS-like mechanism for alerting subscribers to new vulnerability contents, including both information standard feeds and user-customizable feeds.

      Conclusion top

    The OSVDB provides an important service for the security community by maintaining and propagating an open, freely-available database of security vulnerabilities. As Stewart Brand said, "information wants to be free". This is doubly true for security information, which can protect network users and organizations from harm. The project is already significant to the world security community, and it will increase in importance as its contents grow and as it adds features and services over time.

      References top

    CERT. 2003. CERT/CC Statistics 1988-2003: Vulnerabilities reported. <http://www.cert.org/stats/cert_stats.html>

    Landwehr CE, Gabrielson BC , Humphrey JD. 1996. Requirements and Approaches for a Computer Vulnerability Data Archive. Invitational Workshop on Computer Vulnerability Data Sharing; 1996June 10 - 12; Gaithersburg , MD. <http://www.blackmagic.com/ses/bruceg/workshp.html>

    Ma L, Mandujano S, Song G, Meunier P. 2001. Sharing Vulnerability Information Using a Taxonomically-Correct, Web-Based Cooperative Database. Lafayette, IN: Purdue University, Center for Education and Research in Information Assurance and Security (CERIAS); 2001 Feb 12. 12 p. <https://www.cerias.purdue.edu/papers/archive/2001-03.pdf>

    Meunier PC,Spafford EH. 1999 June. Final Report of the 2nd Workshop on Research with Security Vulnerability Databases; January 1999. West Lafayette, IN: Purdue University.

    Schumacher M, Haul C, Hurler M, Buchmann A. 2000. Data Mining in Vulnerability Databases. Darmstadt University of Technology; 2000 March 22. 12 p. <http://www.ito.tu-darmstadt.de/publs/pdf/sdb-dfn-cert-eng.pdf>


    [1](Landwehr and others 1996)

    [2] Derived from detailed data available on the CERT web site (CERT 2003).

    [3]See the review process described in (Ma and others 2001).

    [4](Meunier and Spafford 1999)

    [5]As outlined in (Schumacher and others 2000).

    • DONATE NOW!

    User Status

    Quick Searches

    Advertisements

    The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

    © Copyright 2008 Open Source Vulnerability Database (OSVDB), All Rights Reserved.
    Privacy Statement - Terms of Use