Re: [SC-L] MetriCon 2.0 CFP

[Gunnar Peterson]

> I thought it was about ROSI all over again? Having been to and spoken at
> several CISO conferences, I stayed away from this book up to now.
> 

Actually, Andy hits that in the preface

"Mercifully, the ROI fad has gone the way of the Macarena"

Instead the book (and conference) are about - how to measure security, how
to analyze the data, and how to tell a story

-gp


>> http://www.amazon.com/Security-Metrics-Replacing-Uncertainty-Doubt/dp/032134
>> 9989
>> 
>> I am halfway through and it is excellent so far, will post a review soon.
>> Not sure how the security industry as we know it will get by without fud.
> 
> Pretty good! Thank you very much. The problem of teaching security
> practitioners on how to "speak" without FUD, even if they don't see it as
> FUD, is just as great.
> 
> Gadi.
> 
>> 
>> -gp
>> 
>> On 4/24/07 7:32 PM, "Gary McGraw" <[EMAIL PROTECTED]> wrote:
>> 
>>> Plus, check out Andrew Jaquith's excellent book:
>>> 
>>>  -Original Message-
>>> From:  Gunnar Peterson [mailto:[EMAIL PROTECTED]
>>> Sent: Tue Apr 24 20:14:53 2007
>>> To: Secure Mailing List
>>> Subject: [SC-L] MetriCon 2.0 CFP
>>> 
>>> Last year's conference, MetriCon 1.0 featured a software security metrics
>>> track ( http://securitymetrics.org/content/Wiki.jsp?page=Metricon1.0),
>>> including:
>>> 
>>> * A Metric for Evaluating Static Analysis Tools - Chess & Tsipenyuk, Fortify
>>> * An Attack Surface Metric - Manadhata & Wing, Carnegie-Mellon
>>> * "Good enough" Metrics - Epstein, WebMethods
>>> * Software Security Patterns and Risk - Heyman & Huygens, U of Leuven
>>> * Code Metrics - Chandra, Secure Software
>>> 
>>> -gp
>>> 
>>> Second Workshop on Security Metrics (MetriCon 2.0) < Call for Papers
>>> MetriCon 2.0 CFP
>>> 
>>> August 7, 2007 Boston, MA
>>> 
>>> Overview
>>> 
>>> Do you cringe at the subjectivity applied to security in every manner? If
>>> so, MetriCon 2.0 may be your antidote to change security from an artistic
>>> "matter of opinion" into an objective, quantifiable science. The time for
>>> adjectives and adverbs has gone; the time for hard facts and data has come.
>>> 
>>> MetriCon 2.0 is intended as a forum for lively, practical discussion in the
>>> area of security metrics. It is a forum for quantifiable approaches and
>>> results to problems afflicting information security today, with a bias
>>> towards practical, specific implementations. Topics and presentations will
>>> be selected for their potential to stimulate discussion in the Workshop.
>>> 
>>> MetriCon 2.0 will be a one-day event, Tuesday, August 7, 2007, co-located
>>> with the 16th USENIX Security Symposium in Boston, MA, USA
>>> (http://www.usenix.org/events/sec07/). Beginning first thing in the morning,
>>> with meals taken in the meeting room, and extending into the evening.
>>> Attendance will be by invitation and limited to 60 participants. All
>>> participants will be expected to "come with findings" and be willing to
>>> address the group in some fashion, formally or not. Preference given to the
>>> authors of position papers/presentations who have actual work in progress.
>>> 
>>> Each presenter will have 10-15 minutes to present his or her idea, followed
>>> by 15-20 minutes of discussion with the workshop participants. Panels and
>>> groups of related presentations may be proposed to present different
>>> approaches to selected topics, and will be steered by what sorts of
>>> proposals come in response to this Call.
>>> 
>>> 
>>> Goals and Topics
>>> 
>>> The goal of the workshop is to stimulate discussion of and thinking about
>>> security metrics and to do so in ways that lead to realistic, early results
>>> of lasting value. Potential attendees are invited to submit position papers
>>> to be shared with all. Such position papers are expected to address security
>>> metrics in one of the following categories:
>>> 
>>> Benchmarking
>>> Empirical Studies
>>> Metrics Definitions
>>> Financial Planning
>>> Security/Risk Modeling
>>> Tools, Technologies, Tips, and Tricks
>>> Visualization
>>> Practical implementations, real world case studies, and detailed models will
>>> be preferred over broader models or general ideas.
>>> 
>>> How to Participate
>>> 
>>> Submit a short position paper or description of work done/ongoing. Your
>>> submission must be no longer than five(5) paragraphs or presentation slides.
>>> Author names and affiliations should appear first in/on the submission.
>>> Submissions may be in PDF, PowerPoint, HTML, or plaintext email and must be
>>> submitted to MetriCon AT securitymetrics.org.
>>> 
>>> Presenters will be notified of acceptance by June 22, 2007 and expected to
>>> provide materials for distribution by July 22, 2007. All slides and position
>>> papers will be made available to participants at the workshop. No formal
>>> proceedings are intended. Plagiarism constitutes dishonesty. The organizers
>>> of this Workshop as well as USENIX prohibit these practices and will take
>>> appropriate ac

Re: [SC-L] MetriCon 2.0 CFP

[Gadi Evron]

On Tue, 24 Apr 2007, Gunnar Peterson wrote:
> Book is here
> 
> "Security Metrics: Replacing Fear, Uncertainty, and Doubt" by Andrew Jaquith

I thought it was about ROSI all over again? Having been to and spoken at
several CISO conferences, I stayed away from this book up to now.

> http://www.amazon.com/Security-Metrics-Replacing-Uncertainty-Doubt/dp/032134
> 9989
> 
> I am halfway through and it is excellent so far, will post a review soon.
> Not sure how the security industry as we know it will get by without fud.

Pretty good! Thank you very much. The problem of teaching security
practitioners on how to "speak" without FUD, even if they don't see it as
FUD, is just as great.

Gadi.

> 
> -gp
> 
> On 4/24/07 7:32 PM, "Gary McGraw" <[EMAIL PROTECTED]> wrote:
> 
> > Plus, check out Andrew Jaquith's excellent book:
> > 
> >  -Original Message-
> > From:  Gunnar Peterson [mailto:[EMAIL PROTECTED]
> > Sent: Tue Apr 24 20:14:53 2007
> > To: Secure Mailing List
> > Subject: [SC-L] MetriCon 2.0 CFP
> > 
> > Last year's conference, MetriCon 1.0 featured a software security metrics
> > track ( http://securitymetrics.org/content/Wiki.jsp?page=Metricon1.0),
> > including:
> > 
> > * A Metric for Evaluating Static Analysis Tools - Chess & Tsipenyuk, Fortify
> > * An Attack Surface Metric - Manadhata & Wing, Carnegie-Mellon
> > * "Good enough" Metrics - Epstein, WebMethods
> > * Software Security Patterns and Risk - Heyman & Huygens, U of Leuven
> > * Code Metrics - Chandra, Secure Software
> > 
> > -gp
> > 
> > Second Workshop on Security Metrics (MetriCon 2.0) < Call for Papers
> > MetriCon 2.0 CFP
> > 
> > August 7, 2007 Boston, MA
> > 
> > Overview
> > 
> > Do you cringe at the subjectivity applied to security in every manner? If
> > so, MetriCon 2.0 may be your antidote to change security from an artistic
> > "matter of opinion" into an objective, quantifiable science. The time for
> > adjectives and adverbs has gone; the time for hard facts and data has come.
> > 
> > MetriCon 2.0 is intended as a forum for lively, practical discussion in the
> > area of security metrics. It is a forum for quantifiable approaches and
> > results to problems afflicting information security today, with a bias
> > towards practical, specific implementations. Topics and presentations will
> > be selected for their potential to stimulate discussion in the Workshop.
> > 
> > MetriCon 2.0 will be a one-day event, Tuesday, August 7, 2007, co-located
> > with the 16th USENIX Security Symposium in Boston, MA, USA
> > (http://www.usenix.org/events/sec07/). Beginning first thing in the morning,
> > with meals taken in the meeting room, and extending into the evening.
> > Attendance will be by invitation and limited to 60 participants. All
> > participants will be expected to "come with findings" and be willing to
> > address the group in some fashion, formally or not. Preference given to the
> > authors of position papers/presentations who have actual work in progress.
> > 
> > Each presenter will have 10-15 minutes to present his or her idea, followed
> > by 15-20 minutes of discussion with the workshop participants. Panels and
> > groups of related presentations may be proposed to present different
> > approaches to selected topics, and will be steered by what sorts of
> > proposals come in response to this Call.
> > 
> > 
> > Goals and Topics
> > 
> > The goal of the workshop is to stimulate discussion of and thinking about
> > security metrics and to do so in ways that lead to realistic, early results
> > of lasting value. Potential attendees are invited to submit position papers
> > to be shared with all. Such position papers are expected to address security
> > metrics in one of the following categories:
> > 
> > Benchmarking
> > Empirical Studies
> > Metrics Definitions
> > Financial Planning
> > Security/Risk Modeling
> > Tools, Technologies, Tips, and Tricks
> > Visualization
> > Practical implementations, real world case studies, and detailed models will
> > be preferred over broader models or general ideas.
> > 
> > How to Participate
> > 
> > Submit a short position paper or description of work done/ongoing. Your
> > submission must be no longer than five(5) paragraphs or presentation slides.
> > Author names and affiliations should appear first in/on the submission.
> > Submissions may be in PDF, PowerPoint, HTML, or plaintext email and must be
> > submitted to MetriCon AT securitymetrics.org.
> > 
> > Presenters will be notified of acceptance by June 22, 2007 and expected to
> > provide materials for distribution by July 22, 2007. All slides and position
> > papers will be made available to participants at the workshop. No formal
> > proceedings are intended. Plagiarism constitutes dishonesty. The organizers
> > of this Workshop as well as USENIX prohibit these practices and will take
> > appropriate action if dishonesty of this sort is found. Submission of
> > recent, previously published work as well as simu

Re: [SC-L] MetriCon 2.0 CFP

[Bret Watson]

You know its a little off topic - but I'd kill for a set of metrics 
around the effectiveness/efficiency of a SOC :)

Anyone got any ideas? The usual "events per person" type metrics are 
backwards (good security means less events so lower "efficiency"

Thanks

Bret

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] SC-L Digest, Vol 3, Issue 81

[Jason Grembi]

Gary/James

As an application developer, who has turned into a secure developer (thanks
Ken at Secure University), I can attest that not a whole lot of 'decision
makers' understand what they're up against (vulnerability speaking).  Most
my time is spent training and explaining; then I use tools to verify my
lectures.  Once the 'decision makers' see the results these tools produce,
they usually green light the use of tools and time spent in
design/development.

In my experience, security issues, so far, have came from the ground up
(programmers) because people at the top have a hard time understanding the
how-to's.  It's going to take a few more years for security factors to rank
up there with quality but the industry is moving that way.

Keep the movement going, these emails and silverbullet podcasts do help.


Jason Grembi
Web Developer


On 4/24/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]>
wrote:


Send SC-L mailing list submissions to
sc-l@securecoding.org

To subscribe or unsubscribe via the World Wide Web, visit
http://krvw.com/mailman/listinfo/sc-l
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]

You can reach the person managing the list at
[EMAIL PROTECTED]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of SC-L digest..."


Today's Topics:

   1. Re: How big is the market? (McGovern, James F (HTSC, IT))
   2. Re: How big is the market? (Gary McGraw)
   3. Re: How big is the market? (McGovern, James F (HTSC, IT))
   4. Re: How big is the market? (SC-L Subscriber Dave Aronson)
   5. NYC Security (McGovern, James F (HTSC, IT))
   6. Magazines (McGovern, James F (HTSC, IT))
   7. MetriCon 2.0 CFP (Gunnar Peterson)


--

Message: 1
Date: Tue, 24 Apr 2007 11:17:20 -0400
From: "McGovern, James F \(HTSC, IT\)"
<[EMAIL PROTECTED]>
Subject: Re: [SC-L] How big is the market?
To: "Gary McGraw" <[EMAIL PROTECTED]>
Cc: SC-L@securecoding.org
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"

Gary, I do at some level agree in terms of quality of publication. My
perspective though is from an large enterprise perspective whose primary
business model isn't about technology and the magazines that folks do read
especially in the development community. A quick informal survey tells me
that absolutely zero of my peers read IEEE (note I am a subscriber).

Part of the problem may be the fact that us enterprise folks are bombarded
with free magazines and cannot justify spending money to subscribe to ones
such as the IEEE. I am merely suggesting some diversification for folks that
don't pay for magazines.

-Original Message-
From: Gary McGraw [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 24, 2007 10:50 AM
To: McGovern, James F (HTSC, IT)
Cc: SC-L@securecoding.org
Subject: RE: [SC-L] How big is the market?


I'm sorry James, but I have to respectfully disagree about the vendor
thing.  Perhaps the tools vendors target the "information protection"
people, but at Cigital we sell services to software execs (in huge
companies) who are way up the food chain.

Software security is small, and we need to emphasize the growth and get
people interested.  This goes for everyone who reads this list.  To
continue our impressive growth as a field, we need to continue to build.

I do agree with you that people need to write more for developers (but I
hope they pick better places than JDJ to publish in).  Toward that end,
check out the "Building Security In" department in IEEE Security &
Privacy magazine .  Also
check out Brian Chess's new book "Secure Programming with Static
Analysis" when it comes out in June.  However, for the most part, it's
critical to understand that workaday developers can't wrangle enough
budget to tackle software security.

BTW, I posted a reprise to the darkreading column on justice league
today:
http://www.cigital.com/justiceleague/
http://www.darkreading.com/document.asp?doc_id=122253&WT.svl=column1_1

All told, I am very optimistic about our field, but don't think we can
rest on our laurels at all yet.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com


*
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*




--

Message: 2
Date: Tue, 24 Apr 

Re: [SC-L] Catching up, and some retrospective thoughts

[Arian J. Evans]

comments:

On 4/24/07, Jeremy Epstein <[EMAIL PROTECTED]> wrote:


I've just caught up with 6 weeks of backlogged messages in this group,



better than me, I fell off all the lists when I moved last year. Pardon list
duplicity:

(1) SOX is a waste, as several people said, because it's just a way to

give auditors more ways to demand irrelevant things on checklists - but
not to pay attention to actual security.  I've had customers demand that



[...] usual "non-contextual nonsense audit security" requirements removed

So yeah, this happens all the time. I used to work with several software
companies
that store the key with the encrypted message, same host, same DB, all
because
of the requirement to "encrypt sensitive data". e.g.-like firewall log
management
products and such. zero value. check.

(2) PCI, by contrast, is dramatically better, because it's got actual

things you can measure, and some of them have some relevance to software
security.  However, it's having an effect that I think was unintended by
the folks who wrote it (or at least the ones I met at a recent
conference) - merchants are pushing the requirements down to all of
their suppliers, regardless of whether they're applicable.



[...]

To look the proverbial gift horse in the mouth, there's another pattern
I've seen from several PCI assessors: they are requiring some form of
software security "testing". There seems to be a lot of general confusion
about what webappsec in PCI is today and/or means. (It means nothing
that I know of, outside some random training/awareness req).

The problem is there is absolutely no definition on what this means. WHS
for example has two bitbuckets for simiilar attacks: XSS and Content
Spoofing.
Watchfire added a third, "Phishing", which is an overlap of the two above
(their developer didn't want to admit to me his XSS checks were lame,
so made up /random title). Then you have HTTP Response Splitting, which
I think has next to zero attack surface. We stick close to PCI vuln defs
so tend to ignore it, but for some vendors that is a HIGH severity issue.
(!?)

So (a) what is being measured is equivocal, and (b) what is being held
up as priority to be fixed is pretty borked at the moment too.

The really important stuff, like Authentication and Authorization issues,
seem entirely ignored in favor of bit-fiddling like XSS since basic XSS
is generally easier to test for w/out context (e.g.-scanner jocky
-->Click/scan).



(3) Vendors do what their customers ask for.  If my customers ask for
better security, we'll put our engineering resources into improving
security - just as Microsoft has done.


[...]

Cynically speaking: has it paid off for MS? Vista? Is security driving
resounding success there? Do we need more time to tell? SQL Server
2005 is nice, but I don't know anyone adopting it because of "security".

OTOH: there are folks waving the security banner and getting
a positive response from it from their clients and prospects, I believe
monetary. They come in a couple of flavors:

1. Touting Security whilst doing something about it:

- http://www.discoveryproductions.com/

(apology to all the folks I know I'm leaving out, not sure who all
I am allowed re: NDAs to mention)

2. Touting security, making completely false claims, without actually
implementing or measuring it (there is no price to pay for doing this today,
I mean, hey: what is "software security" anyway?):

[url removed]
(gives you a nice "uber-secure" message when you log in,
unfortunately thanks to their litigious nature vulns are neither
disclosed nor fixed)

[url removed]
(similar story, website used to have a picture of a "safe" on product
page, at least they took that down, but left all the client-side config
parameters in the app)

I chickened out and remove both URLs before sending. Nobody probably
cares about the specific companies, except those companies, who
have gotten testy with me before.

3. People using security verification as a weapon; this is at least
the fifth time I have seen this in my career (direct observation, not
all the implied vuln research battles):

http://forums.aspdotnetstorefront.com/showthread.php?t=6257

I'm going to fire up a blog on all the fun stuff, forensic and like I saw
at FishNet, and now that I have visibility into 500+ web-sites, should
be some useful measurement stats to provide for folks. I don't think
anyone else out there has as many production sites to evaluate at
one time, so ideas on what to mine for data welcome.

If someone wants a measurement bar (e.g.-we are X,Y compared
to like software in our industry for security) this is probably something
to discuss how to provide too. At least, I see some *hows* that are
all crippled by the sensitivity of the information (at least, the perceived
ability to correlate to clients). But worth exploring I think for you
ISVs...

Thanks, cheers,


--
Arian Evans
solipsistic software security sophist

"I spend most of my money on motorcycles, martinis, and mi

Re: [SC-L] MetriCon 2.0 CFP

[Gary McGraw]

Plus, check out Andrew Jaquith's excellent book:

 -Original Message-
From:   Gunnar Peterson [mailto:[EMAIL PROTECTED]
Sent:   Tue Apr 24 20:14:53 2007
To: Secure Mailing List
Subject:[SC-L] MetriCon 2.0 CFP

Last year's conference, MetriCon 1.0 featured a software security metrics
track ( http://securitymetrics.org/content/Wiki.jsp?page=Metricon1.0),
including:

* A Metric for Evaluating Static Analysis Tools - Chess & Tsipenyuk, Fortify
* An Attack Surface Metric - Manadhata & Wing, Carnegie-Mellon
* "Good enough" Metrics - Epstein, WebMethods
* Software Security Patterns and Risk - Heyman & Huygens, U of Leuven
* Code Metrics - Chandra, Secure Software

-gp

Second Workshop on Security Metrics (MetriCon 2.0) < Call for Papers
MetriCon 2.0 CFP

August 7, 2007 Boston, MA

Overview

Do you cringe at the subjectivity applied to security in every manner? If
so, MetriCon 2.0 may be your antidote to change security from an artistic
"matter of opinion" into an objective, quantifiable science. The time for
adjectives and adverbs has gone; the time for hard facts and data has come.

MetriCon 2.0 is intended as a forum for lively, practical discussion in the
area of security metrics. It is a forum for quantifiable approaches and
results to problems afflicting information security today, with a bias
towards practical, specific implementations. Topics and presentations will
be selected for their potential to stimulate discussion in the Workshop.

MetriCon 2.0 will be a one-day event, Tuesday, August 7, 2007, co-located
with the 16th USENIX Security Symposium in Boston, MA, USA
(http://www.usenix.org/events/sec07/). Beginning first thing in the morning,
with meals taken in the meeting room, and extending into the evening.
Attendance will be by invitation and limited to 60 participants. All
participants will be expected to "come with findings" and be willing to
address the group in some fashion, formally or not. Preference given to the
authors of position papers/presentations who have actual work in progress.

Each presenter will have 10-15 minutes to present his or her idea, followed
by 15-20 minutes of discussion with the workshop participants. Panels and
groups of related presentations may be proposed to present different
approaches to selected topics, and will be steered by what sorts of
proposals come in response to this Call.


Goals and Topics

The goal of the workshop is to stimulate discussion of and thinking about
security metrics and to do so in ways that lead to realistic, early results
of lasting value. Potential attendees are invited to submit position papers
to be shared with all. Such position papers are expected to address security
metrics in one of the following categories:

Benchmarking
Empirical Studies
Metrics Definitions
Financial Planning
Security/Risk Modeling
Tools, Technologies, Tips, and Tricks
Visualization
Practical implementations, real world case studies, and detailed models will
be preferred over broader models or general ideas.

How to Participate

Submit a short position paper or description of work done/ongoing. Your
submission must be no longer than five(5) paragraphs or presentation slides.
Author names and affiliations should appear first in/on the submission.
Submissions may be in PDF, PowerPoint, HTML, or plaintext email and must be
submitted to MetriCon AT securitymetrics.org.

Presenters will be notified of acceptance by June 22, 2007 and expected to
provide materials for distribution by July 22, 2007. All slides and position
papers will be made available to participants at the workshop. No formal
proceedings are intended. Plagiarism constitutes dishonesty. The organizers
of this Workshop as well as USENIX prohibit these practices and will take
appropriate action if dishonesty of this sort is found. Submission of
recent, previously published work as well as simultaneous submissions to
multiple venues is acceptable but please so indicate in your proposal.

Location

MetriCon 2.0 will be co-located with the 16th USENIX Security Symposium
(Security ¹07). (http://www.usenix.org/events/sec07/)
Cost

$200 all-inclusive of meeting space, materials preparation, and meals for
the day.
Important Dates

Requests to participate: by May 11, 2007
Notification of acceptance: by June 22, 2007
Materials for distribution: by July 22, 2007
Workshop Organizers

Fred Cohen, Fred Cohen & Associates
Jeremy Epstein, webMethods
Dan Geer, Geer Risk Services
Andrew Jaquith, Yankee Group
Elizabeth Nichols, ClearPoint Metrics, Co-Chair
Gunnar Peterson, Arctec Group, Co-Chair
Russell Cameron Thomas, Meritology



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software 

Re: [SC-L] MetriCon 2.0 CFP

[Gunnar Peterson]

Book is here

"Security Metrics: Replacing Fear, Uncertainty, and Doubt" by Andrew Jaquith

http://www.amazon.com/Security-Metrics-Replacing-Uncertainty-Doubt/dp/032134
9989

I am halfway through and it is excellent so far, will post a review soon.
Not sure how the security industry as we know it will get by without fud.

-gp

On 4/24/07 7:32 PM, "Gary McGraw" <[EMAIL PROTECTED]> wrote:

> Plus, check out Andrew Jaquith's excellent book:
> 
>  -Original Message-
> From:  Gunnar Peterson [mailto:[EMAIL PROTECTED]
> Sent: Tue Apr 24 20:14:53 2007
> To: Secure Mailing List
> Subject: [SC-L] MetriCon 2.0 CFP
> 
> Last year's conference, MetriCon 1.0 featured a software security metrics
> track ( http://securitymetrics.org/content/Wiki.jsp?page=Metricon1.0),
> including:
> 
> * A Metric for Evaluating Static Analysis Tools - Chess & Tsipenyuk, Fortify
> * An Attack Surface Metric - Manadhata & Wing, Carnegie-Mellon
> * "Good enough" Metrics - Epstein, WebMethods
> * Software Security Patterns and Risk - Heyman & Huygens, U of Leuven
> * Code Metrics - Chandra, Secure Software
> 
> -gp
> 
> Second Workshop on Security Metrics (MetriCon 2.0) < Call for Papers
> MetriCon 2.0 CFP
> 
> August 7, 2007 Boston, MA
> 
> Overview
> 
> Do you cringe at the subjectivity applied to security in every manner? If
> so, MetriCon 2.0 may be your antidote to change security from an artistic
> "matter of opinion" into an objective, quantifiable science. The time for
> adjectives and adverbs has gone; the time for hard facts and data has come.
> 
> MetriCon 2.0 is intended as a forum for lively, practical discussion in the
> area of security metrics. It is a forum for quantifiable approaches and
> results to problems afflicting information security today, with a bias
> towards practical, specific implementations. Topics and presentations will
> be selected for their potential to stimulate discussion in the Workshop.
> 
> MetriCon 2.0 will be a one-day event, Tuesday, August 7, 2007, co-located
> with the 16th USENIX Security Symposium in Boston, MA, USA
> (http://www.usenix.org/events/sec07/). Beginning first thing in the morning,
> with meals taken in the meeting room, and extending into the evening.
> Attendance will be by invitation and limited to 60 participants. All
> participants will be expected to "come with findings" and be willing to
> address the group in some fashion, formally or not. Preference given to the
> authors of position papers/presentations who have actual work in progress.
> 
> Each presenter will have 10-15 minutes to present his or her idea, followed
> by 15-20 minutes of discussion with the workshop participants. Panels and
> groups of related presentations may be proposed to present different
> approaches to selected topics, and will be steered by what sorts of
> proposals come in response to this Call.
> 
> 
> Goals and Topics
> 
> The goal of the workshop is to stimulate discussion of and thinking about
> security metrics and to do so in ways that lead to realistic, early results
> of lasting value. Potential attendees are invited to submit position papers
> to be shared with all. Such position papers are expected to address security
> metrics in one of the following categories:
> 
> Benchmarking
> Empirical Studies
> Metrics Definitions
> Financial Planning
> Security/Risk Modeling
> Tools, Technologies, Tips, and Tricks
> Visualization
> Practical implementations, real world case studies, and detailed models will
> be preferred over broader models or general ideas.
> 
> How to Participate
> 
> Submit a short position paper or description of work done/ongoing. Your
> submission must be no longer than five(5) paragraphs or presentation slides.
> Author names and affiliations should appear first in/on the submission.
> Submissions may be in PDF, PowerPoint, HTML, or plaintext email and must be
> submitted to MetriCon AT securitymetrics.org.
> 
> Presenters will be notified of acceptance by June 22, 2007 and expected to
> provide materials for distribution by July 22, 2007. All slides and position
> papers will be made available to participants at the workshop. No formal
> proceedings are intended. Plagiarism constitutes dishonesty. The organizers
> of this Workshop as well as USENIX prohibit these practices and will take
> appropriate action if dishonesty of this sort is found. Submission of
> recent, previously published work as well as simultaneous submissions to
> multiple venues is acceptable but please so indicate in your proposal.
> 
> Location
> 
> MetriCon 2.0 will be co-located with the 16th USENIX Security Symposium
> (Security ¹07). (http://www.usenix.org/events/sec07/)
> Cost
> 
> $200 all-inclusive of meeting space, materials preparation, and meals for
> the day.
> Important Dates
> 
> Requests to participate: by May 11, 2007
> Notification of acceptance: by June 22, 2007
> Materials for distribution: by July 22, 2007
> Workshop Organizers
> 
> Fred Cohen, Fred Cohen & Associates
> J