|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: CVE Information Sources & Scope
I already sent my ratings along with a lot of other feedback to Dave, but should share my scoring (see inline) with the board as well (Dave: Hindsight made me change a couple of the ratings + I added scores for the other suggested sources). Generally, I believe that VDBs (at least the 2-3 major ones like Secunia, OSVDB, and SecurityFocus) are important resources to monitor as information there will be referenced a lot by other sources. Preferably all vulnerability reports covered by these VDBs should have CVEs assigned. cheers, /Carsten > Government Information Sources > US-CERT Advisories (aka CERT-CC Advisories) + M > US-CERT Vulnerability Notes (CERT-CC) + M > US-CERT Bulletins (aka Cyber-Notes) + N > DoD IAVAs + I > NISCC + I > AUS-CERT + I > CIAC + I > CNA Published Information + M (goes for all CNAs) > Non-CNA Vendor Advisories + M (all major software vendors) > Suse + M > Mandriva + I (not that popular anymore) > HP-UX + M (HP in general) > SCO + I (not very active anymore) > AIX + M (IBM in general) > Cisco IOS + M (Cisco in general) > Free BSD + M > Open BSD + M > Net BSD + N > Gentoo (Linux) + I (not very active anymore) > Ubuntu (Linux) + N > > > Mailing Lists & VDBs > Bugtraq + M > Vuln-Watch + I > VulnDev + I > Full Disclosure + N (from a CVE perspective the noise ratio is too high to consider it "must have" - most relevant info is also sent to bugtraq and if not then it will still be caught by the VDBs and can be spotted there). > Security Focus + M (I'm a bit between "must have" and "nice to have" since the publicly available info doesn't really provide anything not already available from Secunia and OSVDB; leaning towards "must have" as some still seem to find it useful). > Security Tracker + I > OSVDB + M (focuses a lot on covering "everything" including unstable software (not covered by Secunia) and old, historic issues that do not affect later version (partially covered by Secunia) - it's, therefore, a nice complement to Secunia). > ISS X-Force + N (primarily due to their coverage of IBM vulnerabilities) > FRSIRT/VUPEN + I (pretty much dead, random coverage, and provides no info not already available elsewhere (just links to various resources now)) > Secunia + M (obviously! ;-) Our verification process daily results in extra details being added to advisories not available in the original vulnerability reports. Secunia is also a CNA (CVEs are assigned for internally discovered vulnerabilities and vulnerabilities coordinated on behalf of external researchers) and original source of a lot of vulnerability reports[1]). [1]: http://secunia.com/community/research/ > Packet Storm + N (most of it is available on exploit-db.com, which I personally find to be a better source) > Exploit-DB.com + M > SecuriTeam + I > SANS Mailing List (Qualys) + I > Neohapsis (Security Threat Watch) + I > Metasploit + I (great project but not that useful from a CVE perspective as it's seldom an original source) > Snort + I > Contagiodump.blogspot.com + N > Oss-security + M > Additions.... > APSA / APSB - Adobe + M > ZDI + N (original source for a lot of reports, but information will also be available e.g. on monitored mailing lists) > MSVR - Microsoft Vulnerability Research Advisories + N > iDefense + N > VMSA (Vmware Security Advisories) + M > CNVD (China National Vulnerability Database) + N > JVN + N -- Med venlig hilsen / Kind regards Carsten H. Eiram Chief Security Specialist Follow us on twitter http://twitter.com/secunia http://twitter.com/carsteneiram Secunia Mikado House Rued Langgaards Vej 8 2300 Copenhagen S Denmark Phone +45 7020 5144 Fax +45 7020 5145
|
||||
