April 02, 2004

Open Source Vulnerability Database Goes Live

Heard today that the Open Source Vulnerability Database (OSVDB) has gone live. Congratulations guys!

OSVDB is an independent and open source database created by and for the community. Their goal is to provide accurate, detailed, current, and unbiased technical information about vulnerabilities. Tools like snort and nessus are now incorporating the database directly into their products.

I really like the idea of OSVDB, but wish they could work more closely with CERT and the Common Vulnerabilites and Exposures (CVE) database. We don't need yet another database. We need a vendor neutral one that everyone is willing to follow and support.

They say the overall goals of the project are to promote greater, more open collaboration between companies and individuals, eliminate redundant works, and reduce expenses inherent with the development and maintenance of in-house vulnerability databases. I think time will tell if they are actually going to meet these goals in relation to the already available systems out there.

<RANT>
This is one of the things I sometime feel is a double edges sword for OSS. (Compounded in the last 5 years with the growth of Linux) If someone doesn't like the way its done, they can branch and go do it themselves. Yet rarely do these projects last very long. Unless the branch gets a good following, boredom, other priorities or life in general seems to kill off the project. Freshmeat and Sourceforge continue to show how this plagues the community, and I just don't get it.

A lot of people don't always agree with the way CVE runs, but it works. And has worked for some time. And it is already integrated into tools like nessus. Why do we need another one? Lets focus on making one GREAT.
</RANT>

Anyways, I mean no disrespect to the group over at OSVDB. As I said, I like the idea... just wish energies could be focused on one database we can all tap into. OSS or not.

Posted by SilverStr at April 2, 2004 11:57 AM | TrackBack
Comments

How is the OSS rant different from non-OSS?

There's dozens of software companies writing very similiar commercial/proprietary IP. Obviously nobody asks why don't they just join forces and create one really good one?

The big difference is that when a tech-startup fades away, it's code typically disappears as well. Gone forever. With OSS, people can still learn from the good & bad parts of those dormat projects.

Posted by: Wim at April 3, 2004 12:25 AM

I'm sorry Wim, but that doesn't hold water for me. I agree with you that tech-startups can fade away and IP can be lost, but while they are building their IP they have both a financial interest, and a business viability concern to see it succeed. That is NOT always the case when a college student wants to hack another fork.

Moreover, there is money changing hands.... which makes a difference. Very few OSS projects have succeeded without someone having a financial interest in the project. Money is funneled into projects through the payment of developer's salaries, or companies taking on entire projects for the better of THEIR products, which benefits the whole OSS community. (Which is one of the things I like about OSS).

Need proof? Samba was worked on at Whistlejet as part of their commercial product. Apache formed the Apache Software Foundation to handle financial support when they needed continued support past the Apache Group. Watchguard paid Rusty to write IPChains and integrate into their firewall. Transmeta paid Linus and allowed him to continue on the kernel. Alan Cox was paid by Redhat to continue his work. Shall I go on? The success of most OSS (especially how it relates to Linux) has had funding from some source that makes money from it somewhere down the line. THERE IS NOTHING WRONG WITH THAT. Just put that in context when you then compare it to other OSS that doesn't get the funding.

My point is that CVE is already succeeding and works really well. It covers off vulnerabilities for both proprietary and open source software, and has both community and vendor buy in. If you look at the CVE Editorial Board members (http://www.cve.mitre.org/board/boardmembers.html) you will already find that it has wide adoption and is used by many. And it has financial support from the DHS.

The key to information sharing is having a solid source you can rely on. When there are lots of different databases holding different stuff, maintained at different levels of integrity, intelligence cannot be properly shared. You only have to look at the failures in the signal intelligence world between the NSA, CIA and FBI before 9/11 to see how that doesn't work.

The world doesn't need another vulnerability database. What it needs is a better way to share information for information security professionals and security engineers so we can adopt a simple and clean 'immediate and proper response' plan for new threat vectors.

Posted by: SilverStr at April 3, 2004 12:34 PM