http://www.coloradoan.com/apps/pbcs.dll/article?AID=/20060710/BUSINESS/607100316/1046 By CHRISTINE McMANUS ChristineMcManus [at] coloradoan.com July 10, 2006 Defending the world from hackers and their billion-dollar crashes, a computer science team at Colorado State University has come up with a model to prevent headline-catching software bugs. Even the Department of Homeland Security and Microsoft are looking to the CSU model. Computer science Professor Yashwant K. Malaiya is taking advantage of the fact that hackers target software when it is at its peak in the market. Both new and old software that are not used by as many people are less at risk for hacking. Malaiya and doctoral student Omar Alhazmi developed a model to predict software vulnerabilities with greater accuracy than ever before. The model helps software development companies and online financial institutions project how many software developers they will need, in order to protect and patch their products. It is impossible to implement an operating system like Windows XP or Linux, or Web servers such as Apache or Microsoft IIS or Web browsers free from vulnerabilities, Malaiya said. "We can predict how many vulnerabilities may occur, but not exactly which ones, or where or what will be hacked," Malaiya said. "Our hope is that vulnerability gets patched before it gets exploited." The Department of Homeland Security has a specific branch to handle computer security called the Computer Emergency Readiness Team. CERT analysts published a book titled "Secure Coding in C and C++" with their similar systematic studies of vulnerabilities to software. Malaiya's is available to the general public online. The model is useful to two groups: software developers and online financial institutions. "We are happy to see our model has worked so well," Malaiya said. "As we collect more data, we're finding it works better than we had initially expected." The Alhazmi-Malaiya Logistic model predicted that very little vulnerability would be found in Red Hat Linux 6.2, and the number has stayed unchanged at 117, according to a release from CSU. The model predicted that the number of vulnerabilities of Windows 2000 would range from 294 to 410. At the time of the prediction the number was at 172; it is now at 250, and vulnerabilities still are being found. The model predicted that Windows XP vulnerabilities would grow rapidly. In January 2005 there were 88; now there are 173. There is a major cost savings associated with the model. Any one of 5,200 vulnerabilities found by the Department of Homeland Security in 2005 has the potential to change the market capitalization to the tune of $860 million. Many hackers are based outside the U.S. "I'm sure Microsoft is following our work. I have former students who work for Microsoft," Malaiya said. "Our results are in the public domain." While the model may some day be commercialized, it is now up for grabs to fight hackers. _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue Jul 11 2006 - 09:25:41 PDT