Vulnerability Development mailing list archives
Re: vulnerability database
From: core.lists.exploit-dev () CORE-SDI COM (Iván Arce)
Date: Thu, 17 Feb 2000 16:13:20 -0300
Ben Valenti wrote:
I am in the process of creating a database of vulnerabilities/exploits. I was wondering if anyone, who as attempted such a task, could give me some description of their past experiences. To start, advice/tips on how to effectively structure the schema and where some good sources of
How to structure the schema is directly related to what use you'll make of the db. One thing i'd do no matter what the db will be used for, is to isolate the purely technical information in just a few tables, here im assuming that the db is not containing just vuln/exploit information but other things that relate those to the real world. Its not enough (at least for my use) to know that a vulnerability exists if i dont have precise information of what systems are vulnerable (including hardware, os versions, configuration quirks, etc) and how to correct the problem (patches, workarounds, changes to be made, etc). Also, i'd expect from such a db some metrics on popularity of exploit code and skills needed to exploit it. OTOH, the common usage of a 'risk factor' associated with vulnerabilities makes no sense, the risk and impact is always dependant of the particular characteristics of the organization with the vulnerable systems.
data for DB population can be found. Also, are there any publically available vuln./exp. DB's either provided by commercial businesses or alternative sources?
checkout: http://www.securityfocus.com/vdb http://cve.mitre.org http://xforce.iss.net theres surely others im forgeting about -ivan -- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, It's nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce ==================[ CORE Seguridad de la Informacion S.A. ]========= Iván Arce Presidente PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email: iarce () core-sdi com http://www.core-sdi.com Pte. Juan D. Peron 315 Piso 4 UF 17 1038 Capital Federal Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402 Casilla de Correos 877 (1000) Correo Central ===================================================================== --- For a personal reply use iarce () core-sdi com
Current thread:
- WINS attack? Bryce Walter (Feb 10)
- Re: WINS attack? Seth R Arnold (Feb 10)
- Re: WINS attack? Blue Boar (Feb 10)
- Re: WINS attack? John Hall (Feb 11)
- IE Java Nicolas Rachinsky (Feb 12)
- Unreal Webserver Adam Boileau (Feb 13)
- Re: Unreal Webserver Arturo (Feb 14)
- vulnerability database Ben Valenti (Feb 16)
- Re: vulnerability database H D Moore (Feb 17)
- Re: vulnerability database Yiorgos Adamopoulos (Feb 17)
- Re: vulnerability database Iván Arce (Feb 17)
- Re: vulnerability database Dragos Ruiu (Feb 17)
- Re: vulnerability database Jay D. Dyson (Feb 17)
- Eudora incoming email affects behavior Thomas Kluegel (Feb 17)
- Re: Eudora incoming email affects behavior Jay D. Dyson (Feb 18)
- Re: Eudora incoming email affects behavior Bluefish (Feb 29)