August 2, 2002 9:32 AM PDT
Security pros create resource on flaws
The Internetworked Security Information Service (ISIS) brings together four independent projects--the Open Source Vulnerability Database, the Alldas.de defacement-tracking service, the PacketStorm software database and the vulnerability watchdog VulnWatch--into a loosely organized collaboration.
"There are a lot of commercial organizations that put out this type of information for free, but will it always be that way?" said Chris Wysopal, director of research and development for security company @Stake. "We are calling the project 'open source' because the information in it will be open and free."
The announcement was made here Thursday at the Black Hat Security Briefings, an industry conference dedicated to current trends in attacks and software vulnerabilities.
The move comes a week after Symantec acquired the security community's most popular spot to talk about software flaws, the Bugtraq mailing list, when it bought list's owner, SecurityFocus.
Stephanie Fohn, the outgoing president of SecurityFocus, called the move "positive," adding that "anything that provides more resources for the community is a good thing."
While representatives of the new initiative avoided pointing the finger at the purchase as the impetus for the alliance, they did emphasize that companies would not be allowed to take an active role in the group.
"We are never going to sell anything," said Steve Manzuik, moderator for the VulnWatch mailing list. "Vendors can use us if they want to, but commercial interests are never going to be part of ISIS."
VulnWatch has its own list for posting information about flaws and will now add a second list, VulnDiscuss, to allow security experts and hackers to discuss details of a certain vulnerability.
PacketStorm will provide access to security and hacking tools as well as software exploits for the ISIS initiative, while Alldas.de will continue its database of defacement incidents. The Open Source Vulnerability Database will keep information of software flaws that anyone will be able to copy and put on their site.
On Wednesday, the U.S. presidential special adviser for cybersecurity, Richard Clarke, spoke in support of taking software makers to task for shoddy software.
"We should not just assume that the companies that produce the software are going to find the vulnerabilities for us," he said. "Some of us have an obligation to find the vulnerabilities."
Clarke lambasted the software industry, Internet service providers, and wireless equipment makers and users, among other groups, for leaving the United States vulnerable to Internet attack.
He did stress, however, that those who find holes in software should not treat them lightly. "It is not the responsible thing to do, when you find a vulnerability, to let the entire world know about it before a patch is available," he said.