【推荐原文】Software Flaws Can Be Predicted

namisang

作者： David Utter
推荐理由：关于软件缺陷
原文地址　http://www.securitypronews.com/n ... CanBePredicted.html

A model developed at Colorado State University can make more accurate estimates of the number and severity of vulnerabilities a piece of software may contain.

The problems that develop with operating systems and other software applications force their manufacturers into a constant race with malicious crackers to patch those issues before they can become exploited.

According to Yashwant K. Malaiya, a CSU professor in the Department of Computer Sciences who was cited in a PhysOrg report, it is impossible to code something like Windows XP and have it be vulnerability-free. A model that can predict when patches will be needed would help programmers be prepared to develop and deploy them in a shorter period of time.

Citing CERT, the report noted 5,198 vulnerabilities were discovered in 2005. "Each individual vulnerability discovered can be widely reported to the public, and in some cases, it has caused the value of the stock of the company to drop," Malaiya said in the article.

The professor's group at CSU has developed a pair of complementary models for vulnerability prediction. The Alhazmi-Malaiya Logistic model projects the rate of vulnerabilities detected, as well as estimating the number of flaws per 1,000 lines of code.

Information released by CSU indicates the model has enjoyed some success. Using the model, researcher predicted that Red Hat Linux 6.2 would have few new vulnerabilities found; that number has remained unchanged at 117 despite the period of time that older version of Red Hat has been in existence.

The model also predicted in 2005 the number of Windows XP vulnerabilities reported would rapidly increase. The increase from 88 in January 2005 to the latest count of 173 apparently made XP's "vulnerability density" comparable to earlier Windows versions.