A collaborative project intended to give network managers a comprehensive, unbiased source of information on software vulnerabilities has gone live, delivering its entire library of flaws under an open-source licence.
The Open Source Vulnerability Database (OSVDB), made available to the public last week, is intended as a clearing-house for verified vulnerability information, collecting and organising the thousands of vulnerability reports that surface each year so that IT managers don't have to.
Unlike the many security databases already available, it aims to be answerable to the security community, to be freely available and to function as a resource for developers, system administrators, business staff carrying out risk assessments, and academics.
"All can benefit from a single, comprehensive source of vulnerability data," the group said. "The OSVDB is this source, reducing duplication of effort while it promotes data consistency."
Entries in the database contain references to other sources, but the OSVDB team also creates its own database entries for each reference, to ensure that there are no restrictions on the distribution and re-use of the content. Entries are currently covered by a working-draft open source licence with the final project licence promised for the second quarter of this year.
Companies are increasingly reliant on well-organised databases to keep track of the thousands of vulnerability announcements arriving each year; the number of security flaws discovered each year has risen more than 2,000 percent since 1995, according to security organisation CERT. Specialist companies have responded to the need with databases such as BugTraq from SecurityFocus, acquired in 2002 by Symantec. Individual vendors also provide their own databases of flaws in their own software.
None of these, according to OSVDB, are at the same time comprehensive, answerable to the community and freely available. SecurityFocus, for example, publishes advisories first to subscribers, only later making them available to the public.
Like open-source software projects, the database relies on the efforts of volunteers who are already professionals in the field. A small group coordinates the OSVDB's activities, with more than two dozen others helping to verify and edit entries. The project said it has so far catalogued nearly 1,900 vulnerabilities, with another 2,700 awaiting verification.
The project concedes that a major task will be ensuring that a steady supply of volunteers can be found to keep things running. "The long-term viability of the OSVDB project depends on continuous success in recruiting new participants, and in recognizing the contributions of those who work within the project," the group said. OSVDB is planning publicity and recruitment inititiatives starting this spring.
Currently the database can be searched through the OSVDB website, with an XML-formatted version on the way for searching by automated processes. The team is also prototyping an automated RSS-like "push" mechanism for alerts.
The database can be integrated into third-party security software, and is already compatible with three open-source products: the Snort intrusion detection system, the Nessus network scanner and the Nikto Web-server scanner.
Secunia, which sells managed security services and provides a commercial database similar to the OSVDB, said the service should complement commercial offerings. "I think what they're doing is very positive, it's good that there's a non-commercial alternative," said CTO Thomas Kristensen.
"We offer a database of fixes, which is aimed at system administrators, but the OSVDB will also be useful for people like security researchers and software developers. They are going back to historical vulnerabilities, which is not something we're doing right now," he added.
He said that the OSVDB is not updated as quickly as Secunia's own database, which has some commercial restrictions. Like the OSVDB, Secunia's service includes references to advisories from other lists and from vendors, but does not include as much original material in each database entry.