Penetration Testing mailing list archives
RE: computer/vulnerability database
From: "Shenk, Jerry A" <jshenk () decommunications com>
Date: Sat, 10 Jan 2009 14:22:22 -0500
It seems like this should be fairly straightforward. Years ago, I worked in FileMaker...I think that would work well and it's pretty cheap. MS Access might be a bit more widely used and of course, both of those options require a windows box (kindof - Wine probably works). It seems like a helpdesk package would have the computer inventory and "incidents"...perhaps the incidents could be twisted a bit to fit this need. Just one more thing to add to my "to do list" ;) I was hoping somebody would have some ideas that I could incorporate to get something functional running in an hour or two. -----Original Message----- From: John Kinsella [mailto:jlk () thrashyour com] Sent: Friday, January 09, 2009 2:57 PM To: Shenk, Jerry A Cc: pen-test () securityfocus com Subject: Re: computer/vulnerability database I wrote most of the vuln reporting module at my last gig. This depends a little on if you're reporting for internal use, or in a consulting role, but here's the things people are interested in, in general: * Unique identifier for vuln: some sort of 3rd party ID that you can look up to provide specifics about the vuln. Either an CVE ID, OSVDB ID, Bugtraq ID, Secunia, etc. * When the vuln was detected * Vuln severity * Valuation of machine - this plays in with CVSS http://www.first.org/cvss/cvss-guide.html * Ability to mark a finding a false positive would be handy * Ability to make notes also would be handy So, what this leaves you with is 3 tables: * Machine definition * Vuln definition * Link between those two tables For bonus points, I could see having a 4th table that could allow you to group collections of vuln instances together. Anybody think there's interest in coming up with a formal spec for this? Just thinking randomly, I could see either a module for drupal, or some sort of stand-alone vuln tracker package...actually something like that must exist, already? OSVDB's schema is pretty well done - overkill for what you want, but will get the brain thinking: http://osvdb.org/database_info (NIST's isn't bad, either...) John On Jan 9, 2009, at 5:01 AM, Shenk, Jerry A wrote:
Does anybody have any thoughts about a database for an audit to contain current vulnerability issues and subsequent updates? I imagine that it should have at least two tables - one table for computers and another table for vulnerabilities. Obviously, each computer can have multiple vulnerabilities and it would be nice to be able to generate a report for each vulnerability. I also think it would be good to have the ability to note when vulnerabilities are resolved as an additional note. **DISCLAIMER This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business.
**DISCLAIMER This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business.
Current thread:
- FireCAT 1.5 released SD List (Jan 09)
- computer/vulnerability database Shenk, Jerry A (Jan 09)
- Re: computer/vulnerability database Matthew Zimmerman (Jan 11)
- Re: computer/vulnerability database John Kinsella (Jan 11)
- RE: computer/vulnerability database Shenk, Jerry A (Jan 11)
- Re: computer/vulnerability database etd (Jan 11)
- Re: computer/vulnerability database James Bensley (Jan 11)
- RE: computer/vulnerability database Shenk, Jerry A (Jan 11)
- computer/vulnerability database Shenk, Jerry A (Jan 09)