OWASP's VulnXML Database

Ingo Struck writes "The Open Web Application Security Project released the VulnXML db for early access to the public. VulnXML is a description of static known vulnerabilities. It provides all necessary information to let an execution engine automatically craft and launch appropriate HTTP, SOAP or WebDAV requests and analyse the response whether the attack had success. Besides it provides some human readable classification of the described vulnerability. A tool to execute VulnXML records is currently being developed and will help developers to check their web applications against a suite of well-known vulnerabilities described in a portable format."

Double-edged Sword?

[melete]

As always, it sounds like this is a double egded sword -- won't this give script-kiddies a new engine for quickly scanning for possibly vulnerable targets?

Not that I'm saying this is a bad thing -- it's just one more tools that security professionals will have to use to stay ahead of the competition.

Re:Double-edged Sword?

[TrekkieGod]

You're right, this will help script-kiddies attack computers of the non-security conscious more easily, I suppose.

However, if you care at all about security, it's also going to make it really easy for you to fix any possible problems. Consider the situation as it is now: You protect yourself against all vulnerabilities you know about, and suffer the chances of a cracker finding out that you have a vulnerability in something that you weren't informed of.

Now consider having a central database with all known vulnerabilities, and a tool that uses that database to verify that you are secure against everything in the database. If the admin uses that tool, he's secure against every known vulnerability, and yes, those who don't have a higher chance of getting screwed. However, if you are serious about securing your systems, the only way you get in trouble is by an attack using an unknown vulnerability. The moment someone discovers that, that person will either a)include it in the database or b)use it, and then in the process make said vulnerability known.

And yeah, that was a really convulated way of explaining my thoughts...it's unfortunate that my thinking process is so damn warped.

Sysadmins?

[SHEENmaster]

This could also be used to create a "Super" Nessus. Remember that script kiddies and system administrators both use such tools. I think that in the long run, it will help the latter more.

MITRE's OVAL and OpenSec

For those interested in open standards for vulnerability assessment, you should check out the Open Vulnerability Assessment Language (OVAL - http://oval.mitre.org/). OVAL provides assessments that DO NOT PERFORM THE ACTUAL EXPLOIT but rather specify logical conditions on the values of system characteristics and configuration attributes to characterize which systems are susceptible to a given vulnerability.

The assessments use SQL syntax but there is an XML version coming soon.

The Open Security Project (OpenSec - http://www.opensec.org/) is also developing a similar standard. The Advisory and Notification Markup Language (ANML - http://www.opensec.org/anml/) is not only working on assessment but an entire advisory format in XML.

Re:XML oversold IMO

[istr]

I agree to a certain extent.
In fact XML is just a serialization format. Alas a format with lots of unnecessary overhead. :o(
The decision for using XML maybe was based upon it's "popularity" - I don't remember...
Fortunately the serialization format can be switched within seconds to something less overheaded (since we use the OCL with a generic serialization mechanism). So it is very easy to provide the good ol' properties format instantaneously.
IMO For VulnXML's duty some relational format is clearly overdone. A "path-based" / "navigational" format has great advantages regarding to performance and flexibility (not only in this case).

So - think of XML only to be a serialization form; the description itself is "path-based" deliberately, since it is

• faster
• more extensible
• easier to extend and to store