How to Stay Up-to-Date on Vulnerabilities

Security requires proactive pre-emptive operations, continuously; it means acting in anticipate and oppose attacks involving your computers and networks. So, keeping track of security alerts and advisories, daily, gives the necessary information for maintaining up-to-date systems and preventing falling victim to vulnerabilities.

As part of your computer security prevention measures efforts start with your Computer Emergency Response Team (CERT), (click on the link to see a list). Your CERT is the first place to look, many countries have CERT, AKA Computer Emergency Readiness Team and Computer Security Incident Response Team (CSIRT), and most are a member of Forum of Incident Response and Security Teams (FIRST). They have up-to-date vulnerability information for the most popular products.

Also, check if your country has a National Vulnerability Database (NVD). For example, the US National Institute of Standards and Technology (NIST) provides one of the best vulnerability database around. You can also look at this catalog of vulnerability databases.

Another good place to check is Full Disclosure, it is one of the oldest available vulnerability databases. It provides a detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and industry gossip. More importantly, new vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

And there is Security Focus, it has a feed with recent advisories for almost every product. Note that some feeds are not frequently updated.

Additionally, many vendors have their advisories feed (see partial list below) or you can use www.cvedetails.com, it provides an easy to use web interface to CVE vulnerability data. You can browse for vendors, products and versions and view CVE entries, vulnerabilities, related to them. You can view statistics about vendors, products and versions of products.

So, by combining your asset management list, along with information and advisories from your national CERT (or equivalent), and other sources, like MITRE‘s Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE), you should have a list of alerts and advisories for your products. It should be checked proactively daily so that you and your vendors are able to follow what needs immediate attention or patches closely.

For example here is a very short list of vendors with vulnerability advisories page, remember be proactive with your security:

Microsoft’s Security Advisories and Bulletins
Cisco Security Advisories and Alerts
ASUS Product Security Advisory
Fortinet Product Security Incident Response Team (PSIRT) Advisories
SAP Security Patch Day
Netgear Product Security
Oracle Critical Patch Updates, Security Alerts and Bulletins
Intel Official Security Advisory
WordPress Security Release
VMware Security Advisories
Mozilla Foundation Security Advisories