Nmedia - Fotolia
The Open Source Vulnerability Database recently closed down after 10 years. The failure was blamed on a lack of support from the open source community as well as the software industry at large. How will this potentially affect open source security? Does the industry need a replacement for the OSVDB?
Often, when a portion of a community takes on the responsibility of monitoring the rest of the community, their efforts are not valued by the community as a whole. Information security has become commercialized over the last 10 years, and many of the open source community projects have struggled, such as OpenSSL did prior to the industry-wide contributions made to its maintenance after the Heartbleed bug was discovered. The Open Source Vulnerability Database (OSVDB) tried for 10 years to monitor the vulnerability disclosure aspects of information security and acted as a resource for tracking vulnerabilities. This provided a vendor-neutral source of vulnerabilities that an enterprise could use to correlate vulnerabilities detected or present in their enterprise that might not have CVE numbers. The goal of the OSVDB was to present accurate and unbiased data on security vulnerabilities.
The impact of OSVDB closing could be that it is now more difficult for enterprises to track vulnerabilities not contained in the more limited CVE database. The CVE Program has responded somewhat by expanding CVE assignment, which could help address some of the concerns that prompted forming the OSVDB. Open source projects and other enterprise projects will be impacted by the need to independently correlate vulnerabilities not represented by CVE numbers. It might also be more difficult for open source vulnerability management systems like OpenVAS to track vulnerabilities.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Compare the top vulnerability management products
Learn about the common flaws in open source web applications
Find out three methods of open source security toolkit building
Dig Deeper on Open source security tools and software
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading