From: InfoSec News (alertsinfosecnews.org)
Date: Tue Jul 11 2006 - 03:09:21 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.coloradoan.com/apps/pbcs.dll/article?AID=/20060710/BUSINESS/607100316/1046

By CHRISTINE McMANUS
ChristineMcManus [at] coloradoan.com
July 10, 2006

Defending the world from hackers and their billion-dollar crashes, a
computer science team at Colorado State University has come up with a
model to prevent headline-catching software bugs.

Even the Department of Homeland Security and Microsoft are looking to the
CSU model.

Computer science Professor Yashwant K. Malaiya is taking advantage of the
fact that hackers target software when it is at its peak in the market.
Both new and old software that are not used by as many people are less at
risk for hacking.

Malaiya and doctoral student Omar Alhazmi developed a model to predict
software vulnerabilities with greater accuracy than ever before. The model
helps software development companies and online financial institutions
project how many software developers they will need, in order to protect
and patch their products.

It is impossible to implement an operating system like Windows XP or
Linux, or Web servers such as Apache or Microsoft IIS or Web browsers free
from vulnerabilities, Malaiya said.

"We can predict how many vulnerabilities may occur, but not exactly which
ones, or where or what will be hacked," Malaiya said. "Our hope is that
vulnerability gets patched before it gets exploited."

The Department of Homeland Security has a specific branch to handle
computer security called the Computer Emergency Readiness Team. CERT
analysts published a book titled "Secure Coding in C and C++" with their
similar systematic studies of vulnerabilities to software.

Malaiya's is available to the general public online. The model is useful
to two groups: software developers and online financial institutions.

"We are happy to see our model has worked so well," Malaiya said. "As we
collect more data, we're finding it works better than we had initially
expected."

The Alhazmi-Malaiya Logistic model predicted that very little
vulnerability would be found in Red Hat Linux 6.2, and the number has
stayed unchanged at 117, according to a release from CSU.

The model predicted that the number of vulnerabilities of Windows 2000
would range from 294 to 410. At the time of the prediction the number was
at 172; it is now at 250, and vulnerabilities still are being found.

The model predicted that Windows XP vulnerabilities would grow rapidly. In
January 2005 there were 88; now there are 173.

There is a major cost savings associated with the model. Any one of 5,200
vulnerabilities found by the Department of Homeland Security in 2005 has
the potential to change the market capitalization to the tune of $860
million. Many hackers are based outside the U.S.

"I'm sure Microsoft is following our work. I have former students who work
for Microsoft," Malaiya said. "Our results are in the public domain."

While the model may some day be commercialized, it is now up for grabs to
fight hackers.

_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]