Link dump (with bonus rant)
aaron posted in Uncategorized on November 27th, 2007
Here are a couple interesting things that I ran across today. The first is a release from Security compass that allows you to do some XSS/SQL injection testing from a set of firefox plugins called Exploit-Me. Judging by the information I see on the website (including screenshots, etc. (Who doesn’t love screenshots)), it looks like it’s a pretty promising tool.
The second thing I thought I’d note is that the Open Source Vulnerability Database (OSVDB) seems to be doing pretty well. They seem to be keeping up with a lot of the current vulnerabilities, and the database seems to be getting pretty large. One of the coolest features they have is that you can actually download the database directly so you can do raw queries for whatever information you’re looking for. Another thing I saw is that that they have a pretty useful custom google search for vulnerabilities or security information that covers many different vulnerability databases as well as mailing lists, etc.
I have to admit that I sometimes get annoyed with how fractured and incomplete the different vulnerability “databases” are. Between CVE, BID, NVD, Secunia, OSVDB and a bunch of other commercial/government repositories, it can be annoying to do research on this information because of the number of holes in the data. A lot of the data is cross-referenced anyway, so it would be nice to have a comprehensive meta-site (though I’m guessing by the amount of cross-referencing, that’s probably what they’re all trying to do).
<rant>Another annoying related problem I’ve had to deal with lately is with vendor forking/patching of open-source projects. Sometimes it’s difficult without reading specific patches to determine whether a vendor really has patched their branch of a given project. Changelog’s often don’t reference any of the Vuln DB’s (despite having a well-known and categorized vulnerability that the upstream provider has referenced and fixed long ago), and the version numbers are often off as well (Red Hat is especially bad about this). OSX is even more difficult to try to verify patches are applied downstream since their release/patching process is more opaque (even though they say they’ll reference CVE’s where possible). They’ve had some problems in the past with the network drivers not getting downstream patches many months after it’s been available. I guess this is all the price you pay for OS distribution sponsored QA of open source software.</rant>.