Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

K. Brian Kelley - Databases, Infrastructure, and Security

IT Security, MySQL, Perl, SQL Server, and Windows technologies.

Getting Security Vulnerability Information

Staying abreast of security vulnerability alerts can be a daunting task because there are so many each day. One source I use is Secunia. I'm subscribed to the free mailing list and it provides valuable information each and every day. When milw0rm.com shut its doors (it's back, by the way, and thankfully so), one of my friends on Twitter asked where he could get vulnerability announcements and I pointed him at Secunia. But Secunia is a corporate entity so that always raises the question of how reliable are they? I think this recent blog post from the folks at the Open Source Vulnerability Database answers that:

VDB Relationships (hugs and bugs)

Here's what was said about Secunia:

OSVDB uses Secunia for one of our feeds to gather information. The two guys we regularly have contact with (CE & TK) lead a bright team that does an incredible amount of work behind the scenes. In case it slipped your attention, Secunia actually validates vulnerabilities before posting them. That means they take the time to install, configure and test a wide range of software based on the word of 3l1t3hax0ry0 that slapped some script tag in software you never heard of, as well as testing enterprise-level software that costs more than OSVDB makes in five years. Behind the scenes, Secunia shares information as they can with others, and there is a good chance you will never see it. If you aren't subscribed to their service as a business, you should be. For those who asked OSVDB for years to have a 'vulnerability alerting' service; you can blame Secunia for us not doing it. They do it a lot better than we could ever hope to.

and in case you're interested what was said about milw0rm founder str0ke, it was also completely complimentary:

str0ke, that mysterious guy that somehow manages to run milw0rm in his spare time. What may appear to some as a website with user-posted content, is actually a horrible burden to maintain. Since the site's inception, str0ke has not just posted the exploits sent in, but he has taken time to sanity check every single one as best he can. What you don't see on that site are dozens (hundreds?) of exploits a month that were sent in but ended up being incorrect (or as OSVDB would label, "myth/fake"). When str0ke was overwhelmed and decided to give up the project, user demand (read: whining & complaints) lead him to change his mind and keep it going. Make sure you thank him every so often for his work and know this: milw0rm cannot be replaced as easily as you think. Not to the quality that we have seen from str0ke.

So if you want two good sources of information on security vulnerabilities, check out Secunia and Milw0rm.

 

Comments

Posted by Steve Jones on 12 August 2009

I use Secunia as well for Database Weekly. However I wish I could get a more targted list. I get lots of *nix alerts.

Posted by Jericho (OSVDB) on 12 August 2009

I wrote the material you quoted, and I stand behind it. One thing I should have been more clear on is that while OSVDB does not aim to provide an alerting service like Secunia does, one of our big goals is 'the big picture'. We add vulnerabilities regardless of when they were disclosed, meaning if we find info on a vulnerability from six months (or six years) ago, we will add it. Secunia will largely pass on that because it generally doesn't help with alerting services that focus on new vulnerabilities.

OSVDB differs from Secunia in many ways, namely the level of abstraction of vulnerabilities (we're 1 entry per 1 vuln, they are consolidated as it is much more logical in an alerting service) and the focus of helping admins with platform specific issues (Secunia is all over vendor updates to issues, we merge them into the original entry).

Hopefully you will realize the value each database has and use more than just Secunia and milw0rm (which Secunia monitors heavily), but branch out and use OSVDB and other databases when performing searches. I have blogged about this topic previously, showing examples of where OSVDB has a much more complete history of vulnerabilities in given products as compared to some other VDBs.

Posted by jkouns on 14 August 2009

OSVDB actually has two watch list features within the project.  I would agree that the Vendor/Product watch list needs some more work to compare to what you can get using Secunia.  I would further suggest that you take a look at the Mailing List Aggregation Watch list.  This works well and it very useful.

The Vendor/Product Watch list

This watchlist will alert you to vulnerabilities for specific products that you subscribe to. Alerts are generated when a vulnerability is updated to include the product and vendor information.

The Mailing List Aggregation Watch list

OSVDB allows you to subscribe to roughly 20 vendor advisory mailing lists. The advisory mailings are sent to OSVDB, we process them, and forward them on to you. That way, rather than managing 20 individual advisory subscriptions, you only need to manage one through OSVDB.

Leave a Comment

Please register or log in to leave a comment.