ISIS to provide 'open source' security information
Published: 05 Aug 2002 10:35 BST
A broad group of hackers and security experts have banded together to create a new service that assembles information on vulnerabilities, security tools and bug-related discussions.
The Internetworked Security Information Service (ISIS) brings together four independent projects -- the Open Source Vulnerability Database, the Alldas.de defacement-tracking service, the PacketStorm software database and the vulnerability watchdog VulnWatch -- into a loosely organised collaboration.
"There are a lot of commercial organisations that put out this type of information for free, but will it always be that way?" said Chris Wysopal, director of research and development for security company @Stake. "We are calling the project 'open source' because the information in it will be open and free."
The announcement was made in Las Vegas on Thursday at the Black Hat Security Briefings, an industry conference dedicated to current trends in attacks and software vulnerabilities.
The move comes a week after Symantec acquired the security community's most popular spot to talk about software flaws, the Bugtraq mailing list, when it bought list's owner, SecurityFocus.
Stephanie Fohn, the outgoing president of SecurityFocus, called the move "positive," adding that "anything that provides more resources for the community is a good thing."
While representatives of the new initiative avoided pointing the finger at the purchase as the impetus for the alliance, they did emphasise that companies would not be allowed to take an active role in the group.
"We are never going to sell anything," said Steve Manzuik, moderator for the VulnWatch mailing list. "Vendors can use us if they want to, but commercial interests are never going to be part of ISIS."
VulnWatch has its own list for posting information about flaws and will now add a second list, VulnDiscuss, to allow security experts and hackers to discuss details of a certain vulnerability.
PacketStorm will provide access to security and hacking tools as well as software exploits for the ISIS initiative, while Alldas.de will continue its database of defacement incidents. The Open Source Vulnerability Database will keep information of software flaws that anyone will be able to copy and put on their site.
On Wednesday, the US presidential special adviser for cybersecurity, Richard Clarke, spoke in support of taking software makers to task for shoddy software.
"We should not just assume that the companies that produce the software are going to find the vulnerabilities for us," he said. "Some of us have an obligation to find the vulnerabilities."
Clarke lambasted the software industry, Internet service providers, and wireless equipment makers and users, among other groups, for leaving the United States vulnerable to Internet attack.
He did stress, however, that those who find holes in software should not treat them lightly. "It is not the responsible thing to do, when you find a vulnerability, to let the entire world know about it before a patch is available," he said.
Robert Lemos reported from Las Vegas.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
35 out of 56 people found this useful
- Share this article:
