The Open Source Vulnerability Database recently closed down after 10 years. The failure was blamed on a lack of...
support from the open source community as well as the software industry at large. How will this potentially affect open source security? Does the industry need a replacement for the OSVDB?
Often, when a portion of a community takes on the responsibility of monitoring the rest of the community, their efforts are not valued by the community as a whole. Information security has become commercialized over the last 10 years, and many of the open source community projects have struggled, such as OpenSSL did prior to the industry-wide contributions made to its maintenance after the Heartbleed bug was discovered. The Open Source Vulnerability Database (OSVDB) tried for 10 years to monitor the vulnerability disclosure aspects of information security and acted as a resource for tracking vulnerabilities. This provided a vendor-neutral source of vulnerabilities that an enterprise could use to correlate vulnerabilities detected or present in their enterprise that might not have CVE numbers. The goal of the OSVDB was to present accurate and unbiased data on security vulnerabilities.
The impact of OSVDB closing could be that it is now more difficult for enterprises to track vulnerabilities not contained in the more limited CVE database. The CVE Program has responded somewhat by expanding CVE assignment, which could help address some of the concerns that prompted forming the OSVDB. Open source projects and other enterprise projects will be impacted by the need to independently correlate vulnerabilities not represented by CVE numbers. It might also be more difficult for open source vulnerability management systems like OpenVAS to track vulnerabilities.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Compare the top vulnerability management products
Learn about the common flaws in open source web applications
Find out three methods of open source security toolkit building
Dig Deeper on Open source security tools and software
Related Q&A from Nick Lewis
A new remote access Trojan called UBoatRAT was found spreading via Google services and GitHub. Learn how spotting command-and-control systems can ... Continue Reading
CyberArk researchers created an attack called Golden SAML that uses Mimikatz techniques and applied it to a federated environment. Learn more about ... Continue Reading
The use of botnets to spread Scarab ransomware intensifies the threat for enterprises. Discover the best way to respond to such a threat and protect ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.