vulnerabilities db

**kautilya** · March 23rd, 2005, 08:12 PM

Hi,

I want to know in what format is the vulnerability information available and from which sources. Some consultant advised me of buying a service from TruSecure who send feeds with vulnerability information, however that appears as a costly solution. What are the alternatives and how do they compare to commercial solutions ? If I can get the info from a non-profit group in realtime, I want to write a small alert tool on my own.

Thanks,
Rich.

***Black Cluster*** · March 23rd, 2005, 08:43 PM

I am sorry but am not sure what are you trying to say... Sorry for being ignorant...

Do you mean, who can offer to you a vulnerability assesment for Databases free of charge???{Thread Title vulnerability db. db usually refered to as short for Databases }...

Please be more specific about what you want to assess...

Cheers

**whatthe** · March 23rd, 2005, 10:01 PM

Is this what you are looking for?

http://www.us-cert.gov/cas/techalerts/index.html

http://www.securityfocus.com/bid

http://www.infosyssec.com/

http://isc.sans.org/

**kautilya** · March 23rd, 2005, 11:30 PM

I am looking for vulnerability information (such as Bugtraq) linked in the above list. However, I am looking at the following:

I need to develop a small program that will pull data from online vulnerability databases like bugtraq and do some processing such as sending alert e-mails to my administrators. Say that I get all vulnerabilities information in a CSV file or XML file, then I can parse and do the next steps in an automated way.

Thanks,
Rich.

**kautilya** · March 25th, 2005, 08:03 PM

??

***Black Cluster*** · March 25th, 2005, 11:41 PM

I guess that you need to have a look at:

http://www.securityfocus.com/archive/1

they offer a very cool RSS XML feeding ....

Does this help?????

Cheers

**kautilya** · March 26th, 2005, 08:20 PM

Yes and No

In the RSS Feed, we only get a single line text and a link to the original artcie. I am unable to get structured vulnerability information.

Secondly, this is not real time.

**ric-o** · March 26th, 2005, 10:54 PM

kautilya:

Welcome to AO! I use multiple sources to do what you are talking about:

* Use a commercial alert service. I use Symantec's Deep Sight Alert Service and it is great but is expensive: it lists at $4,900 a year, I paid about $4,100. It's a great service as it saves so much time on the analysis and alerting of vulnerabilities. They provide risk numbers - see below for info on what they are based on.

* ThreatFocus is another commercial alert service and they are less expensive than Symantec's from what I heard but havent tried it. http://www.threatfocus.com

* Visit websites such as The Internet Storm Center (excellent! http://isc.incidents.org), Security Tracker (http://www.securitytracker.com), Secunia (http://secunia.com).

I suppose you could devise a script to parse these websites but it would seem like a hell of a lot of work to develop something that provides you with good data. Filtering nightmare I would imagine.

One thing to keep in mind, just because a vulnerability is announced by someone does not necessarilty mean an exploit is out yet. Yeah I know the time between vuln announce and exploit is shrinking down to practically hours now...that doesn't mean a workable exploit has been made into a worm or virus or is being used.

And quite frankly...the more I think about it...if you really have a need to know IMMEDIATELY when a vulnerability has been announced...than you are protecting something so important that you should have $5,000 to spend on a commercial service. Either that or dedicated someone to watch the security boards ...and that will cost you more than $5K.

Just my 2 pennies.

Symantec Deep Sight Alert Service

Urgency Rating
This rates the urgency of the vulnerability on a scale of 0 (low) to 10 (high). It
implies the priority you should place on fixing or mitigating the vulnerability. It
is based on the weighted values of Severity, Ease, and Credibility.
■ Severity = 65%
■ Ease = 20%
■ Credibility = 15%
Note: Credibility is based on a scale of 1 to 6. In order for Credibility to comprise
15% of Urgency, the Credibility value must be multiplied by 1.667 which makes
the credibility scale consistent with other ratings based on a scale of 0 (low) to
10 (high).

Severity
This rates how severe a vulnerability is on a scale of 0 (low) to 10 (high). It is
based on the weighted values of Impact, Availability, Authentication, and
Remote fields.
■ Impact = 55%
■ Availability = 10%
■ Authentication = 10%
■ Remote = 25%

Impact
This field rates the impact of a vulnerability on a scale of 0 (low) to 10 (high). The
numerical value is determined with a formula based on the value of the security
properties lost, the privilege obtained, and the objects affected. Impact consists
of three security properties that can be lost:
■ Availability (A) - A vulnerability that results in a denial of service
■ Confidentiality (C) - A vulnerability that results in the disclosure of
otherwise protected data
■ Integrity (I) - A vulnerability that results in the modification of otherwise
protected data

Thread: vulnerabilities db

Thread Tools

Display

vulnerabilities db

Posting Permissions