[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Sources: Full and Partial Coverage
On Wed, 9 May 2012, Williams, James K wrote: : A few comments: : : 1) ISS X-Force database - I have not found this to be particularly useful for general vuln discovery/research. I guess it is a good source for IBM-related vulns. X-Force is not IBM-centric at all. They are a general tracking database like BID or OSVDB. Over the last ten years, I have found them to be pretty comprehensive, certainly a bit more so than BID. : Some more techs to consider for Full/Selective coverage: : 5) Many other ASF projects, such as: Axis, Axis2, Tomcat, Xerces-C/J, Struts, various Commons projects, etc Figuring out that exact list will be fun. They have a large number of projects. OSVDB spent time scouring their bug tracker to pull out vulnerabilities a few years ago as well, with interesting results. : 6) Crypto algorithms/standards: Rijndael, DES, MD5, AES, 3DES, SHA, etc * With few exceptions, I don't believe any VDB other than OSVDB tracks these out of habit. : 9) AV software - all popular brands. Published research is often incomplete and fails to test/list all potentially affected vendors. Detection evasion issues are debateable for CVE coverage. * Move this beyond AV software as a category, to "security software". That will make the list messier and harder to track, but equally important I believe to track vulnerabilities in home security products like firewalls, anti-malware, anti-virus, web filtering software, etc.