Databases Reference
In-Depth Information
1.2.1
Track security bulletins
Knowing where your database environment is vulnerable and what patches
are available to remediate these security problems is one of the most useful
things you can do. This does not necessarily mean that for every published
alert you must go through a patching process (nor does it mean that the
vendor releases a hotfix for every vulnerability). However, you should
always be aware of security issues, and you need to know when vulnerabili-
ties apply to your environment.
Several Web sites track security vulnerabilities, alerts, and advisories,
including vulnerabilities for database environments. The various sites often
mirror each other in terms of the content—when a security alert is posted
on one it is normally available on the others as well. Major security vendors
also post security alerts as a service to their customers (and to promote
themselves). While each person has a preference, these sites are a good start-
ing point:
www.cert.org:
Established in 1988, the CERT Coordination Center
(CERT/CC) is a center of Internet security expertise, located at the
Software Engineering Institute, a federally funded research and devel-
opment center operated by Carnegie Mellon University.
cve.mitre.org:
The Common Vulnerabilities and Exposures (CVE) is a
list of standardized names for vulnerabilities and other information
security exposures. CVE aims to standardize the names for all pub-
licly known vulnerabilities and security exposures and is based on a
community effort. The content of CVE is a result of a collaborative
effort of the CVE Editorial Board. The Editorial Board includes rep-
resentatives from numerous security-related organizations, such as
security tool vendors, academic institutions, and government as well
as other prominent security experts. The MITRE Corporation main-
tains CVE and moderates Editorial Board discussions. CVE is not a
database; it is a list. The goal of CVE is to make it easier to share data
across separate vulnerability databases and security tools. You will
therefore see that vendors often map their IDs for vulnerabilities to a
CVE number. These numbers will have a format similar to CAN-
2003-0058 or CVE-2001-0001—the first one being a candidate as
opposed to an entry accepted and cataloged into CVE.
www.securityfocus.com/bid:
A vendor-neutral site that provides objec-
tive, timely, and comprehensive security information to all members
Search WWH ::
Custom Search