Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] RE: Why Vulnerability Databases can't do everythin

from [security curmudgeon] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] RE: Why Vulnerability Databases can't do everything
Date: Sat, 16 Jul 2005 19:31:31 -0400 (EDT) 

: So I think that there should be a government agency that coordinates 
: this shit

: I call for federal government intervention.  Microsoft has abused all of 
: us for the last time. I have a list of a dozen bugs in Microsoft Access; 
: and I know of one bug in SQL Server that those cornholers just wont fix.  
: I mean-- SQL AUTHENTICATION IS IMPOSSIBLE TO SECURE.  RIGHT?

This is good in theory, bad in practice (historically). Consider that we 
already have government coordination for vulnerabilities. In fact, did you 
know we have it half a dozen times over?

CERT
The CERT/CC is funded primarily by the U.S. Department of Defense and the 
Department of Homeland Security, along with a number of other federal 
civil agencies. Other funding comes from the private sector. As part of 
the Software Engineering Institute, we receive some funds from the primary 
sponsor of the SEI, the Office of the Under Secretary of Defense for 
Acquisition and Technology.

CIAC
U.S. Department of Energy (DOE) funded

CVE
CVE is sponsored by the National Cyber Security Division (NCSD) at the 
U.S. Department of Homeland Security. US-CERT is the operational arm of 
the NCSD.

ICAT
ICAT is maintained by the National Institute of Standards and Technology.

US-CERT
US-CERT is part of the Department of Homeland Security

Little overlap? You bet there is. DHS is spending money on two of the five 
listed above, which are just the biggest and most well known. There are 
other incident response teams for other government agencies, some of which 
maintain their own vulnerability databases.

Consolidation? Has there been any effort made to consolidate these? Not 
that I have heard of, but there might have been (and it got nowhere).

So the U.S. government clearly sees a need for this type of activity, it's 
just that it has not been implemented that well and there has been 
relatively little coordination between the agencies and sources of 
funding. Imagine one database being funded by and worked on all of the 
people/agencies above.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: On classifying attacks, Indigo Haze
Next by Date:  Re: [Full-disclosure] Why Vulnerability Databases can't do everything, Joel Maslak
Previous by Thread:  [Full-disclosure] RE: Why Vulnerability Databases can't do everything, aaron_kempf
Next by Thread:  RE: [Full-disclosure] RE: Why Vulnerability Databases can't do everything, aaron_kempf
Indexes:  [Date] [Thread] [Top] [All Lists]