RE: Sources: Full and Partial Coverage

[security curmudgeon <jericho@attrition.org>]

On Wed, 9 May 2012, Williams, James K wrote:

: A few comments:
: 
: 1) ISS X-Force database - I have not found this to be particularly useful for general vuln discovery/research. I guess it is a good source for IBM-related vulns.

X-Force is not IBM-centric at all. They are a general tracking database 
like BID or OSVDB. Over the last ten years, I have found them to be pretty 
comprehensive, certainly a bit more so than BID.

: Some more techs to consider for Full/Selective coverage:
: 5) Many other ASF projects, such as: Axis, Axis2, Tomcat, Xerces-C/J, Struts, various Commons projects, etc

Figuring out that exact list will be fun. They have a large number of 
projects. OSVDB spent time scouring their bug tracker to pull out 
vulnerabilities a few years ago as well, with interesting results.

: 6) Crypto algorithms/standards:  Rijndael, DES, MD5, AES, 3DES, SHA, etc *

With few exceptions, I don't believe any VDB other than OSVDB tracks these 
out of habit. 

: 9) AV software - all popular brands. Published research is often incomplete and fails to test/list all potentially affected vendors. Detection evasion issues are debateable for CVE coverage. *

Move this beyond AV software as a category, to "security software". That 
will make the list messier and harder to track, but equally important I 
believe to track vulnerabilities in home security products like firewalls, 
anti-malware, anti-virus, web filtering software, etc.