Vulnerability resources: OSVDB and OVAL
Posted by creining | Filed under Security
The Open Source Vulnerability Database (OSVDB) officially opened for public use a few days ago. It is difficult sometimes being in the security field when trying to piece together all the information from different sources on a single vulnerability. I’ve had good luck with ICAT from NIST which builds upon the CVE dictionary (yes, dictionary not database). I’ll start checking out the OSVDB now on a more regular basis. Relatedly, I recently visited the website again for the Open Vulnerability Assessment Language (OVAL) from MITRE. I had read about OVAL during its infancy and it sounded promising. The purpose of OVAL is to provide “a common language used by security experts to discuss technical details about how to check for the presence of a vulnerability on a computer system”. An interesting and aggressive project which breeds a fairly complicated schema. For example, check out the pseudocode (and accompanying XML/SQL) for a IE 5.5/6 vulnerability. The OVAL project provides a Definition Interpreter for download that will check a host for vulnerabilities using the OVAL definitions; however, there is only a Windows NT/2K .exe available at this time. Much like the OSVDB, OVAL depends on community involvement and support and there does not seem to be too much at this time as there are only 596 definitions. In comparison, the OSVDB has 4647 vulnerabilites in its database.
Comments are closed.