Nmedia - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Closure of OSVDB: What impact does it have on open source security?

The OSVDB closed down after 10 years due to lack of support from the open source community. Expert Nick Lewis explains the possible effects on the security industry.

The Open Source Vulnerability Database recently closed down after 10 years. The failure was blamed on a lack of support from the open source community as well as the software industry at large. How will this potentially affect open source security? Does the industry need a replacement for the OSVDB?

Often, when a portion of a community takes on the responsibility of monitoring the rest of the community, their efforts are not valued by the community as a whole. Information security has become commercialized over the last 10 years, and many of the open source community projects have struggled, such as OpenSSL did prior to the industry-wide contributions made to its maintenance after the Heartbleed bug was discovered. The Open Source Vulnerability Database (OSVDB) tried for 10 years to monitor the vulnerability disclosure aspects of information security and acted as a resource for tracking vulnerabilities. This provided a vendor-neutral source of vulnerabilities that an enterprise could use to correlate vulnerabilities detected or present in their enterprise that might not have CVE numbers. The goal of the OSVDB was to present accurate and unbiased data on security vulnerabilities.

The impact of OSVDB closing could be that it is now more difficult for enterprises to track vulnerabilities not contained in the more limited CVE database. The CVE Program has responded somewhat by expanding CVE assignment, which could help address some of the concerns that prompted forming the OSVDB. Open source projects and other enterprise projects will be impacted by the need to independently correlate vulnerabilities not represented by CVE numbers. It might also be more difficult for open source vulnerability management systems like OpenVAS to track vulnerabilities.

Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Compare the top vulnerability management products

Learn about the common flaws in open source web applications

Find out three methods of open source security toolkit building

This was last published in September 2016

Dig Deeper on Open source security tools and software