RE: computer/vulnerability database

["Shenk, Jerry A" <jshenk () decommunications com>]

It seems like this should be fairly straightforward.  Years ago, I
worked in FileMaker...I think that would work well and it's pretty
cheap.  MS Access might be a bit more widely used and of course, both of
those options require a windows box (kindof - Wine probably works).  It
seems like a helpdesk package would have the computer inventory and
"incidents"...perhaps the incidents could be twisted a bit to fit this
need.  Just one more thing to add to my "to do list" ;)  I was hoping
somebody would have some ideas that I could incorporate to get something
functional running in an hour or two.

-----Original Message-----
From: John Kinsella [mailto:jlk () thrashyour com]
Sent: Friday, January 09, 2009 2:57 PM
To: Shenk, Jerry A
Cc: pen-test () securityfocus com
Subject: Re: computer/vulnerability database

I wrote most of the vuln reporting module at my last gig.  This
depends a little on if you're reporting for internal use, or in a
consulting role, but here's the things people are interested in, in
general:
  * Unique identifier for vuln: some sort of 3rd party ID that you can
look up to provide specifics about the vuln.  Either an CVE ID, OSVDB
ID, Bugtraq ID, Secunia, etc.
  * When the vuln was detected
  * Vuln severity
  * Valuation of machine - this plays in with CVSS
http://www.first.org/cvss/cvss-guide.html
  * Ability to mark a finding a false positive would be handy
  * Ability to make notes also would be handy

So, what this leaves you with is 3 tables:
  * Machine definition
  * Vuln definition
  * Link between those two tables

For bonus points, I could see having a 4th table that could allow you
to group collections of vuln instances together.

Anybody think there's interest in coming up with a formal spec for
this? Just thinking randomly, I could see either a module for drupal,
or some sort of stand-alone vuln tracker package...actually something
like that must exist, already?

OSVDB's schema is pretty well done - overkill for what you want, but
will get the brain thinking: http://osvdb.org/database_info

(NIST's isn't bad, either...)

John

On Jan 9, 2009, at 5:01 AM, Shenk, Jerry A wrote:

> Does anybody have any thoughts about a database for an audit to
> contain
> current vulnerability issues and subsequent updates?
>
> I imagine that it should have at least two tables - one table for
> computers and another table for vulnerabilities.  Obviously, each
> computer can have multiple vulnerabilities and it would be nice to be
> able to generate a report for each vulnerability.  I also think it
> would
> be good to have the ability to note when vulnerabilities are
> resolved as
> an additional note.
>
>
> **DISCLAIMER
> This e-mail message and any files transmitted with it are intended
> for the use of the individual or entity to which they are addressed
> and may contain information that is privileged, proprietary and
> confidential. If you are not the intended recipient, you may not
> use, copy or disclose to anyone the message or any information
> contained in the message. If you have received this communication in
> error, please notify the sender and delete this e-mail message. The
> contents do not represent the opinion of D&E except to the extent
> that it relates to their official business.


**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which 
they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the 
intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the 
message. If you have received this communication in error, please notify the sender and delete this e-mail message. The 
contents do not represent the opinion of D&E except to the extent that it relates to their official business.