|OSVDB: Project Aims|
|Introduction||Vulnerability Databases||The Project||Project Goals||Future Plans||Conclusion||References|
The Open-Source Vulnerability Database (OSVDB) project manages a master collection of computer security vulnerabilities, available for non-commercial use by the world's information-security community. This collection contains information on known security weaknesses in operating systems, software products, protocols, hardware devices, and other elements of the world's information-technology infrastructure. The OSVDB project is intended to be the most complete vulnerability collection on the Internet.
A vulnerability database serves many communities: businesses need to know whether elements of their current or planned computing environment are susceptible to security failures, system administrators want alerts to relevant security malfunctions and their cures, software developers need warning when their products have shown security flaws, and security practitioners depend on a comprehensive and standardized vulnerability list to build products and services.It has been difficult to develop a comprehensive, unbiased, and timely resource that gives these groups (and many others) what they need.
(See reference below.)
One reason for the difficulty is that documenting and disseminating vulnerabilities has become an enormous task. CERT identified just under 200 vulnerabilities in 1995, but reported 3,784 in 2003: an increase of over 2,000 percent in seven years. CERT's counts are considered extremely conservative these days, and the actual number of vulnerabilities facing administrators, developers, and organizations is considerably higher.
The effort required to track vulnerabilities exceeds the resources of most organizations, and the volume of information appearing each year is unlikely to decrease. To meet the growing need for vulnerability management, the OSVDB had planned to harness the efforts of the world's security practitioners and the power of the open-source development model to locate, verify, and document this critical information. Ultimately, that model proved untenable, as volunteer support was extremely rare.
A vulnerability is an error or weakness in a component that allows it to be attacked, resulting in unauthorized use of the item or in damage to it and components connected to it. In an information-technology network like the Internet, successful exploitation of vulnerabilities can result in operating-system damage, illegal release of information, data destruction, disruption of service, and a galaxy of other tribulations.
Although we often discuss vulnerabilities in general terms like "open to man-in-the-middle attack" or "remote buffer overflow", attackers and defenders know that the essence of a security vulnerability is never the general description, but rather the vulnerability's specific details. There are very few generic attacks that will work against multiple targets. Similarly, there are few general vulnerabilities that simultaneously affect different network components. Instead, the classic vulnerability affects a single feature of one release of a software product installed under a single operating system, a feature that can typically be exploited in only one way.
Out of the trillions of lines of code running in networked systems, this dangerous vulnerability may exist in a single line. It is a unique grain of sand in a mile-long beach. How do those with systems containing that unique flawed line know they are potential victims? And how do they identify a solution? As the number of network components grows every year, the number of vulnerabilities grows also.
Annual vulnerability announcements now number close to ten thousand, well beyond the capacity for human memory to manage. Well-organized databases, with verified contents and flexible search abilities, are required if these vulnerabilities are to be controlled by the security community. The OSVDB provides the necessary structure, technology, and content to support that community requirement for vulnerability management.
|The Open-Source Vulnerability Database Project||top|
The OSVDB project was launched in 2002 following a realization in the security community that no independent, community-operated vulnerability database existed. There were, and still are, numerous vulnerability databases. Some of these databases are managed by private interests to meet their own requirements, while others contain a limited subset of vulnerabilities or have significant restrictions on their content. None are simultaneously comprehensive, open for free use, and answerable to the community. The OSVDB's organizers have set out to implement a vulnerability database that meets all those requirements.
The OSVDB is currently an active web application, available at www.OSVDB.org. It has two major parts: a "front end" allows vulnerabilities to be searched for and reported on, and a "back end" allows contributors to add or edit vulnerabilities.
The OSVDB moderators identify newly disclosed vulnerabilities and assign them temporary ID numbers. These entries are then filled in by project moderators and OSF employees. Once completed, a second individual will review the entry before making it a live entry with a public OSVDB ID. 
There is room in the security world for several strategies for managing security vulnerabilities. Each approach has its own advantages. The OSVDB is unique in being historically complete, tracking a wider range of vulnerabilities than other databases, and using an extended classification along with a powerful search engine to facilitate greater information availability.
Many security endeavors benefit from a single source listing all vulnerabilities, in contrast to a "federated" approach where multiple vulnerability lists have to be queried and the results combined to get a comprehensive result. Developers creating vulnerability-assessment tools, system administrators protecting servers and networks, business staff assessing risks and remedies, academic researchers documenting analyzing the past and future of network security: all expend effort to identify vulnerabilities, all work to document them consistently, all can benefit from a single, comprehensive source of vulnerability data. The OSVDB is this source, reducing duplication of effort while it promotes data consistency.
Serious users of any database evaluate its sources and practices before placing trust in its contents. The OSVDB is unbiased and neutral in its practices for accepting, reviewing, and publishing vulnerabilities. Its open acceptance of community input and internal review processes ensure that the vulnerability database is not colored by vendor-related biases. The OSVDB team works hard to ensure that content evenly reflects the actual distribution of vulnerabilities, neither over-exposing nor under-exposing particular operating systems, products, or vendors.
Some have raised concerns such a comprehensive security database may present potential dangers of its own. This is security's classic "disclosure" problem. Can a vulnerability database help an attacker? It may do so, but it provides a far more significant benefit for defenders. Without much of a stretch, Google can be considered the largest and most detailed vulnerability database in the universe. It operates whether or not other vulnerability lists exist, and provides the ultimate resource for the dedicated attacker. OSVDB catalogs vulnerabilities that have already been published; this does not introduce any additional risk to companies.
Given the breadth of information-security problems affecting businesses and individuals, it is easy to understand that subscribers to security information span a wide range of technical background and skills. At times, some software vendors have been criticized for releasing vulnerability information that lacks the details system administrators need. Others have drawn fire for complex vulnerability reports that confuse home users and non-technical staff. The OSVDB includes both business-level descriptions and technical details for the vulnerabilities in the database. Creating and supplying the proper type of information for the intended audience allows the OSVDB to serve all consumers of vulnerability information.
OSVDB organizers believe that more than one vulnerability database is needed to meet the full variety of community requirements. A major summit meeting in the research community, the 2nd Workshop on Research with Security Vulnerability Databases, stated that "no single proposition satisfies all parties involved" and that the parallel pursuit of different strategies would have the best opportunity for success. The OSVDB intends to fulfill the recognized community requirements for an open, centralized resource.
Through the 501(c)(3) Open Security Foundation (OSF), OSVDB is being operated and maintained to ensure timely import of newly disclosed vulnerabilities. To faciliate long term development, OSF has partnered with Risk Based Security to develop additional commercial offerings for businesses that need increased access to OSVDB data.
The OSVDB provides an important service for the security community by maintaining and propagating a comprehensive database of security vulnerabilities. The project is already significant to the world security community, and it will increase in importance as its contents grow and as it adds features and services over time.
CERT. 2003. CERT/CC Statistics 1988-2003: Vulnerabilities reported. <http://www.cert.org/stats/cert_stats.html>
Ma L, Mandujano S, Song G, Meunier P. 2001. Sharing Vulnerability Information Using a Taxonomically-Correct, Web-Based Cooperative Database. Lafayette, IN: Purdue University, Center for Education and Research in Information Assurance and Security (CERIAS); 2001 Feb 12. 12 p. <https://www.cerias.purdue.edu/papers/archive/2001-03.pdf>
Meunier PC,Spafford EH. 1999 June. Final Report of the 2nd Workshop on Research with Security Vulnerability Databases; January 1999. West Lafayette, IN: Purdue University.
Schumacher M, Haul C, Hurler M, Buchmann A. 2000. Data Mining in Vulnerability Databases. Darmstadt University of Technology; 2000 March 22. 12 p. <http://www.ito.tu-darmstadt.de/publs/pdf/sdb-dfn-cert-eng.pdf>