Re: [PEN-TEST] Common Vulverabilities and Exposures (CVE)

[Alfred Huger <ah () SECURITYFOCUS COM>]

On Thu, 8 Mar 2001, c0ncept wrote:

>       I've actually been working on a simialer project -- creating a database of
> advisories, exploits, tools and vendor documentation relavent to security
> and networking. I've been using SQL Server 2000 as the devlopment platform,
> but I'm not using anything SQL Server specific (ie. the structure of the
> database should be easily ported to any RDBMS).
>       The goal of the project to provide all of this information in a way that is
> *easily* searchable for relevent information -- prompted by what I percieve
> as the inadequecy of what currently exsists (sorry security focus, sorry
> packetstorm -- you guys just don't offer enough fields to search, and
> searches have a habit of returning to much noise).
>       Once the database is constructed, It could be used as the back-end of an
> Expert System geared twords security, with an embeddable client that could
> be included in security-auditing programs.
>       So far, it's just been me hacking away on my SQL server whenever I have
> free time; If anybody else would like to help with the project, email me off
> the list, and I'll set up something a little more formal.
>
>       --c0ncept
>       c0ncept () hushmail com

I had planned on avoiding taking part in this thread, however we got
mentioned, so here I go. Most of you probably don't realize how we
generate revenue here because are not terribly in your face about it, in
particular on the lists. Contrary to popular belief we do not pay our rent
off of advertising revenue. We build our revenue around three core
products. First is a configurable alert system for security
vulnerabilities, second is IDS based Intelligence services, ala ARIS for
those of you in the beta and finally with our Vulnerability Database.

The Database which we sell commercially is quite alot differant that that
which lives on our site. The database on the site is as comprehensive as
we can afford it to be given that it's free and provided to the community
on a timely basis. However, the database which we sell is *quite* alot
differant. It contains many more fields as well correlation data between
vulnerabilities and IDS signatures for BlackICE, ICEPac, Snort, Cisco
Secure IDS, RealSecure etc, etc, etc.

Our Vuln Database is also kept up to date 7 days a week and is fed out to
our customer base hourly. Te vulns on the site are actually about one
third of the commercial package and they are also time delayed (on the
website) for between 24 and 36 hours.

Regrettably I do not do it justice as I am not a sales droid, nor am I
predisposed to hyping what I build. If you want the full run down, I would
be happy to provide it off line.

-al