[OSVDB-discuss] OSVDB GSoC 2008 Project Ideas

[jkouns]

OSVDB GSoC 2008 Project Ideas

Google Summer of Code 2008 is officially on. Full details at 
http://code.google.com/soc/2008/

OSVDB has submitted an application but has not yet been accepted. With 
our Summer of Code project work, we hope to build off the release of 
OSVDB 2.0 and develop new enhancements to OSVDB’s public services. Here 
is this years list of ideas/important projects, however we are open to 
proposals for other projects and ideas.

OSVDB Port Listing Project - Preferred language is Ruby on Rails
We are looking to create a project that will be a central repository for 
all known ports and protocols. This will be the foundation of many new 
features such as referencing ports/protocols to OSVDB IDs. This will 
then allow OSVDB vulnerabilities to be better mapped to firewall rules, 
IDS alerts and potential integrations to other security projects such as 
NMAP.
-This project should detail all well known/default/registered ports
-This project must have a automated feature that can import port 
information from iana.org as a baseline 
(http://www.iana.org/assignments/port-numbers)
-This project must allow users to submit updates/edits wiki style
-This project needs to include fields for necessary tracking including: 
Keywords, Number, Transport (TCP, UDP, ICMP, etc), Application, Links, 
Description

OSVDB Training Portal Framework - Preferred language is Ruby on Rails
This project is to create a flexible framework that can provide training 
on security issues. OSVDB is looking to not only provide information on 
vulnerabilities but be a repository for training information that will 
help educate end users on how to avoid security risks and developers on 
how to avoid coding insecure applications.
-This project must be able to integrate with the existing OSVDB portal
-This project must have an interface that allows users to create their 
own training material
-This project must have an interface that allows users to create their 
own training quizzes
-This project must have an interface to provide reports and track the 
results.
-A user needs to be able to creates a custom quiz or select from a list 
of OSVDB published quizzes.
-A user needs to be able to send a quiz to multiple people by inputting 
email addresses.
-The system will track the quiz and results based on the emails that are 
sent via the training portal.
-This project should allow users to provide comments and coaching 
information in a wiki style to help educate
-The project will ultimately cross reference OSVDB IDs: For example: 
when a user is viewing a specific vulnerability it will allow them to 
then take a training course and a quiz to test their knowledge

OSVDB Personal Edition Phase II - Preferred language is Ruby on Rails
We released the OSVDB Personal Edition and it is a very small Ruby on 
Rails application that utilizes the SQLite database export to give you 
your own, albeit relatively feature-less, local OSVDB instance. This 
project is intended to take the OSVDB Personal Edition to the next level.
-This project will provide improvements and a seamless installation package
-This project will include new search features
-This project will include new features defined by you!

OSVDB Widgets and Gadgets - Preferred language is open for discussion!
OSVDB has a very strong online feature set but a user needs to be logged 
in to use the services. This project is intended to utilize the OSVDB as 
the main data source but should be a security dashboard for professionals.
-Gadgets and Widgets should work for OSX and/or Vista
-Should provide security news updates from multiple sources
-Should provide alerts when new alerts from vendors are released
-Should provide alerts for new vulnerabilities added to the OSVDB database
-Should provide search capabilities for OSVDB
-Must be able to support OSVDB API functionality

OSVDB Statistics Project - Preferred language is Ruby on Rails
This project is to create a flexible framework that can provide useful 
statistics on vulnerabilities from OSVDB. This project should take in 
consideration all of the fields and classifications in OSVDB.
-Should create and generate standard/most popular graphs and charts each 
day and make available
-Should create statistics that allows very flexible/detailed stats to be 
dynamically generated on demand by user
-Some examples of statistics required:
-# Vulns based on Disclosure Year
-Detailed stats based on each vuln classification options (ALL OPTIONS)
-# of vulns by Vendor
-# of vulns by Product
-# of vulns that do not have a solution (and by vendor)
-Time from when a vuln was discovered and then disclosed
-Create stats application that allows user to dynamically generate stats 
based on their own requirements.
-Trend the number of vulns released per day

OSVDB Vulnerability Visual Mapping - Preferred language is open for 
discussion!
This project is to create a visual mapping of all vulnerabilities in 
OSVDB. This will allow users to visually search the database and also to 
see the relationships between vulnerabilities. Have you ever seen music 
plasma(http://www.musicplasma.com/)? This could be pretty challenging 
but we have been wanting to see this project done for a long time! Read 
more here: http://osvdb.org/blog/?p=39

Vulnerability and Patch Management Portal - Preferred language is Ruby 
on Rails
This project is to create a flexible framework that can provide 
organizations the ability to track and manage vulnerabilities and 
patches. OSVDB is looking to not only provide information on 
vulnerabilities but be a service that can provide security professionals 
a way to track and ensure that vulnerabilities have been addressed at 
their organization.
-This project must be able to integrate with the existing OSVDB portal
-Should allows users to manage life cycle of vulns and patches
-Should allow user the ability selects vulnerabilities or patches based 
on OSVDB watchlist
-Should create a lifecycle that will alert a user when a new 
vulnerabilities or patch is released and goes into the portal
-User then can track their organizations progress including: Research, 
Test, Implementation, Closure
-The project should allows an organization to show compliance with 
vulnerabilities and patches

Vulnerability Cross References and Scraper - Preferred language is Ruby 
on Rails and open for discussion!
OSVDB is a project that aims to have as many references to 
vulnerabilities as possible. Unfortunately, in most cases volunteers 
have to search by hand to find more information to add to an entry. The 
goal of this project to to create a module that can search multiple 
security resources and cross references OSVDB entries to other resources.
-Cross reference OSVDB IDs and provide references that are missing
-Search the following (all external references OSVDB uses) for a string: 
Bugtraq, Bugtraq Mailing List, CVE, Full-Disclosure Mailing List, ISS 
X-Force, Nessus, OSVDB, Packetstorm, Secunia, Securiteam, Security 
Tracker, Snort
-Search the resources based on user supplied check boxes for 
refined/targeted searches
-Offer simple search, pull back just a summary of findings
-Offer recursive search for some sites. If the entry at another site 
(for example CVE) is known then it should be an option to pull back all 
of the other references in that entry as well
-Should be a framework that allows new security sites to be added when 
they become available
-Should run once a night and look at all entries (even old ones) to see 
if there are more references that can be added.
-There should be some kind of approval process or a quick way that we 
can automatically add the references to the appropriate IDs.

New security project? New security scanner? New OSVDB feature? - 
Preferred language is open for discussion!
-Have an idea for a new security scanning tool?
-Have an idea for a new features that is missing from OSVDB?
-Have an idea that can use information from our web sacnning database?
-Have an idea for a security scanner that searches local server for 
vulnerable scripts?