> I thought it was about ROSI all over again? Having been to and spoken at > several CISO conferences, I stayed away from this book up to now. >
Actually, Andy hits that in the preface "Mercifully, the ROI fad has gone the way of the Macarena" Instead the book (and conference) are about - how to measure security, how to analyze the data, and how to tell a story -gp >> http://www.amazon.com/Security-Metrics-Replacing-Uncertainty-Doubt/dp/032134 >> 9989 >> >> I am halfway through and it is excellent so far, will post a review soon. >> Not sure how the security industry as we know it will get by without fud. > > Pretty good! Thank you very much. The problem of teaching security > practitioners on how to "speak" without FUD, even if they don't see it as > FUD, is just as great. > > Gadi. > >> >> -gp >> >> On 4/24/07 7:32 PM, "Gary McGraw" <[EMAIL PROTECTED]> wrote: >> >>> Plus, check out Andrew Jaquith's excellent book: >>> >>> -----Original Message----- >>> From: Gunnar Peterson [mailto:[EMAIL PROTECTED] >>> Sent: Tue Apr 24 20:14:53 2007 >>> To: Secure Mailing List >>> Subject: [SC-L] MetriCon 2.0 CFP >>> >>> Last year's conference, MetriCon 1.0 featured a software security metrics >>> track ( http://securitymetrics.org/content/Wiki.jsp?page=Metricon1.0), >>> including: >>> >>> * A Metric for Evaluating Static Analysis Tools - Chess & Tsipenyuk, Fortify >>> * An Attack Surface Metric - Manadhata & Wing, Carnegie-Mellon >>> * "Good enough" Metrics - Epstein, WebMethods >>> * Software Security Patterns and Risk - Heyman & Huygens, U of Leuven >>> * Code Metrics - Chandra, Secure Software >>> >>> -gp >>> >>> Second Workshop on Security Metrics (MetriCon 2.0) < Call for Papers >>> MetriCon 2.0 CFP >>> >>> August 7, 2007 Boston, MA >>> >>> Overview >>> >>> Do you cringe at the subjectivity applied to security in every manner? If >>> so, MetriCon 2.0 may be your antidote to change security from an artistic >>> "matter of opinion" into an objective, quantifiable science. The time for >>> adjectives and adverbs has gone; the time for hard facts and data has come. >>> >>> MetriCon 2.0 is intended as a forum for lively, practical discussion in the >>> area of security metrics. It is a forum for quantifiable approaches and >>> results to problems afflicting information security today, with a bias >>> towards practical, specific implementations. Topics and presentations will >>> be selected for their potential to stimulate discussion in the Workshop. >>> >>> MetriCon 2.0 will be a one-day event, Tuesday, August 7, 2007, co-located >>> with the 16th USENIX Security Symposium in Boston, MA, USA >>> (http://www.usenix.org/events/sec07/). Beginning first thing in the morning, >>> with meals taken in the meeting room, and extending into the evening. >>> Attendance will be by invitation and limited to 60 participants. All >>> participants will be expected to "come with findings" and be willing to >>> address the group in some fashion, formally or not. Preference given to the >>> authors of position papers/presentations who have actual work in progress. >>> >>> Each presenter will have 10-15 minutes to present his or her idea, followed >>> by 15-20 minutes of discussion with the workshop participants. Panels and >>> groups of related presentations may be proposed to present different >>> approaches to selected topics, and will be steered by what sorts of >>> proposals come in response to this Call. >>> >>> >>> Goals and Topics >>> >>> The goal of the workshop is to stimulate discussion of and thinking about >>> security metrics and to do so in ways that lead to realistic, early results >>> of lasting value. Potential attendees are invited to submit position papers >>> to be shared with all. Such position papers are expected to address security >>> metrics in one of the following categories: >>> >>> Benchmarking >>> Empirical Studies >>> Metrics Definitions >>> Financial Planning >>> Security/Risk Modeling >>> Tools, Technologies, Tips, and Tricks >>> Visualization >>> Practical implementations, real world case studies, and detailed models will >>> be preferred over broader models or general ideas. >>> >>> How to Participate >>> >>> Submit a short position paper or description of work done/ongoing. Your >>> submission must be no longer than five(5) paragraphs or presentation slides. >>> Author names and affiliations should appear first in/on the submission. >>> Submissions may be in PDF, PowerPoint, HTML, or plaintext email and must be >>> submitted to MetriCon AT securitymetrics.org. >>> >>> Presenters will be notified of acceptance by June 22, 2007 and expected to >>> provide materials for distribution by July 22, 2007. All slides and position >>> papers will be made available to participants at the workshop. No formal >>> proceedings are intended. Plagiarism constitutes dishonesty. The organizers >>> of this Workshop as well as USENIX prohibit these practices and will take >>> appropriate action if dishonesty of this sort is found. Submission of >>> recent, previously published work as well as simultaneous submissions to >>> multiple venues is acceptable but please so indicate in your proposal. >>> >>> Location >>> >>> MetriCon 2.0 will be co-located with the 16th USENIX Security Symposium >>> (Security ยน07). (http://www.usenix.org/events/sec07/) >>> Cost >>> >>> $200 all-inclusive of meeting space, materials preparation, and meals for >>> the day. >>> Important Dates >>> >>> Requests to participate: by May 11, 2007 >>> Notification of acceptance: by June 22, 2007 >>> Materials for distribution: by July 22, 2007 >>> Workshop Organizers >>> >>> Fred Cohen, Fred Cohen & Associates >>> Jeremy Epstein, webMethods >>> Dan Geer, Geer Risk Services >>> Andrew Jaquith, Yankee Group >>> Elizabeth Nichols, ClearPoint Metrics, Co-Chair >>> Gunnar Peterson, Arctec Group, Co-Chair >>> Russell Cameron Thomas, Meritology >>> >>> >>> >>> _______________________________________________ >>> Secure Coding mailing list (SC-L) SC-L@securecoding.org >>> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l >>> List charter available at - http://www.securecoding.org/list/charter.php >>> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) >>> as a free, non-commercial service to the software security community. >>> _______________________________________________ >>> >>> >> >> -- >> Gunnar Peterson, Managing Principal, Arctec Group >> http://www.arctecgroup.net >> >> SOA, Web Services and XML Security & Web Application Security Training >> >> Schedule of Public Classes >> May 7 Washington/Baltimore (WSSC Conference) >> May 15 Milan (OWASP App Sec Conference) >> July 17-19 Washington/Baltimore >> >> Details and registration info on Arctec Group and Aspect Security classes >> http://www.aspectsecurity.com/public_training.htm >> >> Blog: http://1raindrop.typepad.com >> >> >> >> _______________________________________________ >> Secure Coding mailing list (SC-L) SC-L@securecoding.org >> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l >> List charter available at - http://www.securecoding.org/list/charter.php >> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) >> as a free, non-commercial service to the software security community. >> _______________________________________________ >> > -- Gunnar Peterson, Managing Principal, Arctec Group http://www.arctecgroup.net SOA, Web Services and XML Security & Web Application Security Training Schedule of Public Classes May 7 Washington/Baltimore (WSSC Conference) May 15 Milan (OWASP App Sec Conference) July 17-19 Washington/Baltimore Details and registration info on Arctec Group and Aspect Security classes http://www.aspectsecurity.com/public_training.htm Blog: http://1raindrop.typepad.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
