ADVISORIES
Software-Related Security Advisories
The following is a list of free security advisories relevant to software that users can sign up for to receive the latest security news and vulnerability alerts. Some of the advisories are limited to application security; others have a broader scope that covers all facets of cybersecurity. Anyone can send an email to software.assurance[at]dhs.gov with recommendations for improving this page, especially if there are other recommended free security advisories relevant to software.
US-CERT National Cyber Alert System
SANS Internet Storm Center (ISC)
Secunia Advisories
TippingPoint Zero Day Initiative
US-CERT National Cyber Alert System provides four mailing lists suitable for various skill levels:
- Technical Cyber Security Alerts are technical alerts written for system administrators and experienced users. They provide timely information about current security issues, vulnerabilities, and exploits.
- Cyber Security Bulletins provide weekly summaries of new vulnerabilities for system administrators and other technical users. Patch information is provided when available.
- Cyber Security Alerts are written in conjunction with the Technical Cyber Security Alerts listed above. They outline the steps and actions that non-technical home and corporate computer users can take to protect themselves from attack.
- Cyber Security Tips provide advice about a variety of common security issues. They are published every two weeks and are written primarily for home, corporate, and new users. These tips are for users that are unaware of basic cyber security practices and may not be appropriate to those with more experience.
The scope of these lists goes well beyond that of software assurance and covers all facets of cyber security. Aside from these lists, US-CERT also allows anyone to report an incident, vulnerability, or phishing scam.
SANS Internet Storm Center (ISC) relies on an all-volunteer effort to detect problems, analyze threats, and disseminate both technical as well as procedural information to the general public. Thousands of sensors that work with most firewalls, intrusion detection systems, home broadband devices, and nearly all operating systems are constantly collecting information about unwanted traffic arriving from the Internet. Anyone can participate in ISC by sending their firewall logs to DShield, a free distributed intrusion detection system sponsored by SANS. Registration for Dshield is not required, but being registered allows the user to keep track of their submissions.
Secunia Advisories describe vulnerabilities found in applications. By creating a community profile on Secunia’s website, a user can receive advisories as they occur and/or a weekly summery of the advisories. Secunia also provides products to scan a home computer for vulnerable and out-of-date programs: Personal Software Inspector (PSI) and the Online Software Inspector (OSI). The difference between the two is that the OSI is only meant to let the user get a feel for how the software inspector technology works, and as such checks less than 100 programs.
TippingPoint Zero Day Initiative provides a list of vulnerabilities discovered by TippingPoint ZDI researchers. When vulnerabilities are discovered, the affected vendor is contacted on the specified date. Once a patch is created the vulnerability and the patch are publicly disclosed and available for free. Vulnerabilities that are awaiting public disclosure have their affected vendor(s), their severity, and the date they were reported listed for free.