Introduction On January 21 and 22, 1999, the Center for Research and Education in Information Assurance and Security (CERIAS) conducted the 2nd Workshop on Research with Security Vulnerability Databases. This report summarizes the happenings from the workshop. A security vulnerability, or simply, vulnerability, in a system is a characteristic that renders it susceptible to a security compromise. A security vulnerability database catalogues details on such vulnerabilities so that analysis, taxonomy and classification of those vulnerabilities is facilitated. Recently, Ivan Krsul completed his PhD dissertation from Purdue University titled "Software Vulnerability Analysis" that discusses how to build and use such databases effectively. The workshop was a follow-up to the 1st workshop that was held in conjunction with NIST in 1996, and to the dissertation work by Ivan. About 100 people from about 50 organizations attended the workshop. The organizations represented included governmental institutions, such as NIST and NSA, commercial organizations, such as IBM, Cisco and Secure Computing, and educational institutions, such as Iowa State University. The workshop was split into two days. The first day consisted mostly of the presentation of eight papers and a demonstration of the vulnerability database from the Computer Operations Audit and Security Technology (COAST) lab. The eight papers were chosen from submissions of extended abstracts and full papers by a program committee. The papers are available in the proceedings published for the workshop. Ivan Krsul's PhD dissertation is also part of the proceedings. Ivan also submitted a note titled "Experiences in the Development of the COAST Vulnerability Database" to the workshop. Thursday In his welcoming remarks, Prof. Gene Spafford, the Director of CERIAS, spoke about the need to follow up on the important initiatives in the area of vulnerability databases. He indicated that the need for such databases is widespread, and effective use of such databases will revolutionize software engineering. He spoke about the motivation behind the workshop: to bring about a confluence of those that saw the pressing need to establish standards on this front, and establish such databases. The first talk was based on a paper by Dave Bailey, Fred Smith and Bob Abbott, who represent over 100 years of combined information security experience. Their paper is titled "Vulnerability Data: the Case for Sharing." They made the case for sharing of such data by pointing out the benefits from such sharing and the dangers from not sharing. The benefits from sharing are that security flaws, that seem to reappear every few years, can be eliminated, and that software development can be made more rapid by analysis of such flaws. They also discussed the Year 2000 problem as an instantiation of such a flaw and used it as an example to indicate the potential legal issues arising from such security flaws. The second presentation was based on a paper titled "VulDa: A Vulnerability Database" by D. Alessandri and M. Dacier of IBM-Zurich. They spoke about the vulnerability database from IBM and used sample entries from the database to demonstrate how it is populated and used for imparting information on such vulnerabilities and for analysis. They also discussed how the vulnerability database is used in their research in intrusion detection, and the conditions under which they would be willing to share the database with others. The third presentation was based on a paper by Aaron Schwartzbard and Anup K. Ghosh from Reliable Software Technologies titled "Establishing Common Exploit Information for Intrusion Detection." They spoke about data necessary for effective intrusion detection. In doing so, they related vulnerability and attack data to data needed for intrusion detection. They made the case for a common repository for such information, and effective tools and techniques to mine for and analyze data in such a repository. The fourth presentation was based on a paper titled "Mapping Attacks to Vulnerabilities" by Mahesh Tripunitara of Purdue University. He spoke about the problem of relating the vulnerabilities that are exploited, to the attacks that exploit them. He used a formal model for attacks in two examples to discuss the relationship between the set of attacks and the set of vulnerabilities they exploit. It was then time for the lunch break, which gave the participants a good opportunity to informally discuss several of their ideas, interests and intentions in vulnerability databases. The first presentation after lunch was by Thomas Daniels of Purdue University. He gave a demonstration of the COAST vulnerability database, which generated considered interest from the audience. He demonstrated the graphical user interface used to query and enter data into the database. He also picked a few examples to illustrate the fields based on which vulnerability data is stored and discussed tools for analysis of the data in the database. The sixth presentation was based on a paper titled "Towards a Common Enumeration of Vulnerabilities" by David E. Mann and Steven M. Christey from the MITRE Corporation. This presentation also generated considerable interest from the audience. They tackled the problem of dealing with several heterogeneous vulnerability databases and presented the Common Vulnerability Enumeration (CVE) mechanism for sharing of vulnerability data. They related the CVE to current practices on vulnerability data sharing. The seventh presentation was based on a paper titled "Use of a Vulnerability Database for Writing Security Requirements" by Jim Williams of the MITRE Corporation. He presented his efforts in automating the specification of security requirements. The security requirements he spoke about are of the type indicated in the Common Criteria (CC.) He discussed a database that stores mappings from high level organizational security policies and requirements, to detailed attacks, vulnerabilities and countermeasures. The eighth presentation was based on a paper titled "The Proper Usage, Possible Benefits, and Risks of Open Vulnerability Databases" by Pascal Meunier of Purdue University. He discussed an open model for vulnerability databases with vulnerability data being freely shared and added. He then raised several contentious issues relating to such a model. He also presented his notion of the "ideal" open vulnerability database. The final presentation was based on a paper titled "Thoughts on Potential Sources of Error and Bias in Vulnerability Databases" by Ken Olthoff. He focussed on the problem of the possible corruption of vulnerability databases, either accidentally or maliciously. He also discussed some possible countermeasures from such corruption. Friday The first day concluded with the formation of working groups for the second day. Five working groups were established, with the participants in the workshop deciding for themselves which of the working groups each wanted to participate in. Working groups 1 through 4 dealt with various models and architectures for vulnerability databases. Working group 5 looked at issues fundamental to vulnerability databases, immaterial of the model used to construct them. Working group 1 dealt with the "fully available" or "open" model. This is a database that anyone can add to and read from. Copies are allowed to be made freely and the data and copies of the database can be used in whatever manner desired. Working group 2 dealt with the "centralized" model. This involves a database of which there is only one copy and is managed and controlled by a single agency or group. There may be some distribution in the access or update of data in the database, but there is always a "master copy." Working group 3 dealt with the "federated" model. This is a model in which there are several distributed databases, but with some centrality. The databases use a common schema or fields to store data, but the data is not necessarily replicated across all databases. The sharing of data occurs in an organized manner. Working group 4 dealt with the "balkanized" model. It was also called the "status quo" model because there was general agreement that this model indicates what currently exists. The model involves several databases, different both in terms of the data in them and in terms of how the data is organized. Access methods to each database are also different and sharing is not structured. Working group 5 dealt with overall issues for vulnerability databases, such as terminology, classifications, schema and storage. The group also dealt with issues on what data a vulnerability database should include. Each working group met for about 5 hours on the second day, dealing with such issues as ease of access and update in the model, intellectual property rights, access control, fault tolerance, expandability and flexibility, trans-national use, maintenance, location and staffing, scalability and longevity. The issues were dealt with both from a "model" standpoint and an "architecture" standpoint. Towards the end of the day, one person from each group made a presentation based on the respective discussions. Some of the presenters presented an analysis of their model, while others made a case for the model they had worked with. Each of the working groups is currently working on the final reports from the meetings for submission to a body of "main" editors that has the responsibility of consolidating the reports in to a single report. A standards document is in the offing. Concluding Remarks The workshop's goals were to set an agenda for standardization in all aspects related to vulnerability databases and initiate the building of the infrastructure to promote sharing of such data. Based on the enthusiastic participation and from preliminary feedback, the workshop was a success. Follow up work in now being conducted and those interested in involving themselves with the effort are encouraged to contact Prof. Gene Spafford (spaf@cs.purdue.edu.)