This is just to "put the feelers out" with regards to security bug fixes
/ alerts / workarounds and the automation of receiving this type of
information.
Given any heterogeneous environment, platform or network, an
administrator/security professional often needs to keep track of
multiple OS bug lists. In addition to these lists, there are a number
of applications running on these OS's whose lists must also be monitored
for security alerts and fixes. A primary concern in the security field
is that as soon as a fix is identified, or a vulnerability is
identified, it is more than likely that it is already being exploited.
Any further delay in fixing the problem, patching your OS for example
only increases the vulnerability of your environment.
My suggestion is to create an Internet Database where vendors /
Emergency Response Teams, may put information in a SPECIFIC format
regarding security alerts etc.
Each vendor could be issued with a bit pattern representing them, and
they may then implement their own bit pattern representing their various
products. Then when an alert / fix or whatever becomes available they
enter details into this database, using both the vendor an product
pattern. The two patterns combined would uniquely identify a product.
The overall effect would enable automation to be written that could
query this database ( perhaps simple SQL ) and inform you when one of
the products that you manage has a defect of some sort. Further, it
could be extended to download the fixes identified, even install them.
Of course there are security considerations in any venture such as
this. For example, each entry in the database would have to be
digitally signed to avoid unscrupulous people from adding false
information, or trojan "fixes" for example. Assignment of vendor ID's
should be managed centrally, like IANA did for example.
This is only the tip of the iceberg of possibilities and ideas, but I
would love to know what others think about this...... together the net
can be a safe place. Monitoring your emails because you subscribed to
70 different bug-traq esque lists is OK, but an automated alerting
system ( as this could easily become ) would be less infallible ( hmm is
that even a proper sentence? ) I nickname this 'CRAAB' - Common
Repository for Advisories/Alerts and Bulletins
Anyway - what do you thing....
Garreth J Jeremiah.