Something is not right: comprehensive databases of known FOSS software vulnerabilities are mostly proprietary and privately maintainer. Why could not these be open data instead? They are after all about FOSS code.
“Using Components with Known Vulnerabilities” is one of the OWASP Top 10 Most Critical Web Application Security Risks. Identifying such vulnerable components is currently hindered by data structure and tools that are (1) designed primarily for proprietary software components and (2) incomplete and too dependent on voluntary submissions to the National Vulnerability Database. With the explosion of FOSS usage over the last decade we need a new approach to efficiently identify FOSS security vulnerabilities. And that approach should be based on open data and FOSS tools.
Watch this video to find how we are working to build new FOSS tools to aggregate, relate together and curate software component vulnerability data from multiple sources and automate the search for FOSS component security vulnerabilities.
The benefit is the improved security of software applications with open tools and data for everyone.
Want to learn about VulnerableCode?
- Download the latest release of VulnerableCode
- Learn more about VulnerableCode at nexb.com/vulnerablecode
- Explore other FOSS projects at AboutCode.org