Book is here "Security Metrics: Replacing Fear, Uncertainty, and Doubt" by Andrew Jaquith
http://www.amazon.com/Security-Metrics-Replacing-Uncertainty-Doubt/dp/032134 9989 I am halfway through and it is excellent so far, will post a review soon. Not sure how the security industry as we know it will get by without fud. -gp On 4/24/07 7:32 PM, "Gary McGraw" <[EMAIL PROTECTED]> wrote: > Plus, check out Andrew Jaquith's excellent book: > > -----Original Message----- > From: Gunnar Peterson [mailto:[EMAIL PROTECTED] > Sent: Tue Apr 24 20:14:53 2007 > To: Secure Mailing List > Subject: [SC-L] MetriCon 2.0 CFP > > Last year's conference, MetriCon 1.0 featured a software security metrics > track ( http://securitymetrics.org/content/Wiki.jsp?page=Metricon1.0), > including: > > * A Metric for Evaluating Static Analysis Tools - Chess & Tsipenyuk, Fortify > * An Attack Surface Metric - Manadhata & Wing, Carnegie-Mellon > * "Good enough" Metrics - Epstein, WebMethods > * Software Security Patterns and Risk - Heyman & Huygens, U of Leuven > * Code Metrics - Chandra, Secure Software > > -gp > > Second Workshop on Security Metrics (MetriCon 2.0) < Call for Papers > MetriCon 2.0 CFP > > August 7, 2007 Boston, MA > > Overview > > Do you cringe at the subjectivity applied to security in every manner? If > so, MetriCon 2.0 may be your antidote to change security from an artistic > "matter of opinion" into an objective, quantifiable science. The time for > adjectives and adverbs has gone; the time for hard facts and data has come. > > MetriCon 2.0 is intended as a forum for lively, practical discussion in the > area of security metrics. It is a forum for quantifiable approaches and > results to problems afflicting information security today, with a bias > towards practical, specific implementations. Topics and presentations will > be selected for their potential to stimulate discussion in the Workshop. > > MetriCon 2.0 will be a one-day event, Tuesday, August 7, 2007, co-located > with the 16th USENIX Security Symposium in Boston, MA, USA > (http://www.usenix.org/events/sec07/). Beginning first thing in the morning, > with meals taken in the meeting room, and extending into the evening. > Attendance will be by invitation and limited to 60 participants. All > participants will be expected to "come with findings" and be willing to > address the group in some fashion, formally or not. Preference given to the > authors of position papers/presentations who have actual work in progress. > > Each presenter will have 10-15 minutes to present his or her idea, followed > by 15-20 minutes of discussion with the workshop participants. Panels and > groups of related presentations may be proposed to present different > approaches to selected topics, and will be steered by what sorts of > proposals come in response to this Call. > > > Goals and Topics > > The goal of the workshop is to stimulate discussion of and thinking about > security metrics and to do so in ways that lead to realistic, early results > of lasting value. Potential attendees are invited to submit position papers > to be shared with all. Such position papers are expected to address security > metrics in one of the following categories: > > Benchmarking > Empirical Studies > Metrics Definitions > Financial Planning > Security/Risk Modeling > Tools, Technologies, Tips, and Tricks > Visualization > Practical implementations, real world case studies, and detailed models will > be preferred over broader models or general ideas. > > How to Participate > > Submit a short position paper or description of work done/ongoing. Your > submission must be no longer than five(5) paragraphs or presentation slides. > Author names and affiliations should appear first in/on the submission. > Submissions may be in PDF, PowerPoint, HTML, or plaintext email and must be > submitted to MetriCon AT securitymetrics.org. > > Presenters will be notified of acceptance by June 22, 2007 and expected to > provide materials for distribution by July 22, 2007. All slides and position > papers will be made available to participants at the workshop. No formal > proceedings are intended. Plagiarism constitutes dishonesty. The organizers > of this Workshop as well as USENIX prohibit these practices and will take > appropriate action if dishonesty of this sort is found. Submission of > recent, previously published work as well as simultaneous submissions to > multiple venues is acceptable but please so indicate in your proposal. > > Location > > MetriCon 2.0 will be co-located with the 16th USENIX Security Symposium > (Security ยน07). (http://www.usenix.org/events/sec07/) > Cost > > $200 all-inclusive of meeting space, materials preparation, and meals for > the day. > Important Dates > > Requests to participate: by May 11, 2007 > Notification of acceptance: by June 22, 2007 > Materials for distribution: by July 22, 2007 > Workshop Organizers > > Fred Cohen, Fred Cohen & Associates > Jeremy Epstein, webMethods > Dan Geer, Geer Risk Services > Andrew Jaquith, Yankee Group > Elizabeth Nichols, ClearPoint Metrics, Co-Chair > Gunnar Peterson, Arctec Group, Co-Chair > Russell Cameron Thomas, Meritology > > > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > > -- Gunnar Peterson, Managing Principal, Arctec Group http://www.arctecgroup.net SOA, Web Services and XML Security & Web Application Security Training Schedule of Public Classes May 7 Washington/Baltimore (WSSC Conference) May 15 Milan (OWASP App Sec Conference) July 17-19 Washington/Baltimore Details and registration info on Arctec Group and Aspect Security classes http://www.aspectsecurity.com/public_training.htm Blog: http://1raindrop.typepad.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
