vul·ner·a·ble (vul'ner a bol) adj. 1. Susceptible to physical or emotional injury. 2. Susceptible to attack:

Vulnerable. A scary word these days. Just hearing it puts to mind a bunker mentality, whether it be traveling, standing in line for coffee, or using software. Yes, even software is vulnerable to attack.

In fact, between 1995 and 2006 (Q1), the CERT reported 24,313 vulnerabilities--defects in software that can let attackers bypass security measures. In 2005 alone, 5198 newly discovered vulnerabilities were reported by CERT.

Robert Seacord, a senior vulnerability analyst at the CERT and author of Secure Coding in C and C++, has written widely about software vulnerabilities in Dr. Dobb's; see, for instance, "Wide-Character Format String Vulnerabilities" and "Validating C and C++ for Safety and Security".

Recently, Yashwant K. Malaiya, professor in the Colorado State University Department of Computer Science, and Omar Alhazmi, a doctoral student, have developed a model to predict with much greater accuracy the number and severity of vulnerabilities that will likely surface in operating systems and in major software applications in the near future.

"The hope is that a vulnerability gets patched before it gets exploited," Malaiya said. "Each individual vulnerability discovered can be widely reported to the public, and in some cases, it has caused the value of the stock of the company to drop."

It is impossible to implement an operating system like Windows XP or Linux, Web servers like Apache or Microsoft IIS, or Web browsers that are free from vulnerabilities, Malaiya said. If developers knew when and how many patches will be needed in a certain period of time, they could be better prepared to quickly develop patches and ensure the security of such applications and systems, he said.

Malaiya's group has developed two complementary approaches to predict vulnerabilities--modeling of the vulnerability detection rate with the Alhazmi-Malaiya Logistic model and based on the developer, predicting the number of vulnerabilities per 1000 lines of code.

Applications of such data can be far-ranging, Malaiya said. Companies like Microsoft can project the manpower needed to quickly develop and release patches to minimize the probability of exploitation. An investment company, such as a bank or a brokerage, can better assess the potential risk levels because products containing more projected vulnerabilities tend to be riskier products.

The Alhazmi-Malaiya Logistic model has already seen success in its predictions:

• In 2005, it predicted the number of vulnerabilities discovered in Windows XP would grow rapidly. It has indeed grown from 88 in January 2005 to 173 by the latest count, making the vulnerability density of XP comparable to that of earlier version of Windows.

• The model predicted that very few new vulnerabilities will be found in Red Hat Linux 6.2, and the number has stayed unchanged at 117.

• It predicted that the number of vulnerabilities of Windows 2000 will eventually range from 294 to 410. At that time of the prediction, the number was 172; it now is 250, and vulnerabilities are still being found.

Posted by Jon Erickson at 11:28 AM  Permalink