RE: Sources: Full and Partial Coverage
On Wed, 9 May 2012, Williams, James K wrote:
: A few comments:
: 1) ISS X-Force database - I have not found this to be particularly useful for general vuln discovery/research. I guess it is a good source for IBM-related vulns.
X-Force is not IBM-centric at all. They are a general tracking database
like BID or OSVDB. Over the last ten years, I have found them to be pretty
comprehensive, certainly a bit more so than BID.
: Some more techs to consider for Full/Selective coverage:
: 5) Many other ASF projects, such as: Axis, Axis2, Tomcat, Xerces-C/J, Struts, various Commons projects, etc
Figuring out that exact list will be fun. They have a large number of
projects. OSVDB spent time scouring their bug tracker to pull out
vulnerabilities a few years ago as well, with interesting results.
: 6) Crypto algorithms/standards: Rijndael, DES, MD5, AES, 3DES, SHA, etc *
With few exceptions, I don't believe any VDB other than OSVDB tracks these
out of habit.
: 9) AV software - all popular brands. Published research is often incomplete and fails to test/list all potentially affected vendors. Detection evasion issues are debateable for CVE coverage. *
Move this beyond AV software as a category, to "security software". That
will make the list messier and harder to track, but equally important I
believe to track vulnerabilities in home security products like firewalls,
anti-malware, anti-virus, web filtering software, etc.