[SC-L] Call for papers: Programming Languages and Analysis for Security (PLAS)
ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security (PLAS 2009) Dublin, Ireland, June 15, 2009 Sponsored by ACM SIGPLAN Co-located with PLDI '09 Supported by IBM Research and Microsoft Research http://www.cs.stevens.edu/~naumann/plas2009.html Submission Deadline: April 3, 2009 Call for Papers PLAS aims to provide a forum for exploring and evaluating ideas on the use of programming language and program analysis techniques to improve the security of software systems. Strongly encouraged are proposals of new, speculative ideas; evaluations of new or known techniques in practical settings; and discussions of emerging threats and important problems. The scope of PLAS includes, but is not limited to: * Language-based techniques for security * Verification of security properties in software * Automated introduction and/or verification of security enforcement mechanisms * Program analysis techniques for discovering security vulnerabilities * Compiler-based security mechanisms, such as host-based intrusion detection and in-line reference monitors * Specifying and enforcing security policies for information flow and access control * Model-driven approaches to security * Applications, examples, and implementations of these security techniques in domains including web applications, embedded software, etc. Important Dates and Submission Guidelines * Submission due date: Friday, April 3, 2009 * Author notification: Friday, May 1, 2009 * Revised papers due: Monday, May 18, 2009 * Student travel grant applications due: Friday, May 29, 2009 * PLAS 2009 workshop: Monday, June 15, 2009 We invite papers of two kinds: (1) Technical papers about relatively mature work, for "long" presentations during the workshop, and (2) papers for "short" presentations about more preliminary work, position statements, or work that is more exploratory in nature. Short papers marked as "Informal Presentation" will have only their abstract published in the proceedings. All other papers will be included in the formal proceedings and must describe original work in compliance with the SIGPLAN republication policy. Page limits are 12 pages for long papers and 6 pages for short papers. Student Travel Grants Student attendees of PLAS can apply for a travel grant (in addition to any PLDI grants), thanks to the generous support of IBM Research and Microsoft Research. The application forms will be on the workshop web site. Program Committee * Aslan Askarov, Chalmers University of Technology, Sweden * Brian Chess, Fortify Software, USA * Stephen Chong, Harvard University, USA (co-chair) * Úlfar Erlingsson, Reykjavík University, Iceland * Kevin W. Hamlen, University of Texas at Dallas, USA * Benjamin Livshits, Microsoft Research, USA * Pasquale Malacaria, Queen Mary University of London, UK * David Naumann, Stevens Institute of Technology, USA (co-chair) * Marco Pistoia, IBM Research, USA * François Pottier, INRIA Paris-Rocquencourt, France * Tamara Rezk, INRIA Sophia Antipolis-Méditerranée, France * Tachio Terauchi, Tohoku University, Japan * David Wagner, University of California, Berkeley, USA ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Reality Check: EMC Eric Baize
The BSIMM data are coming soon to a website near you. Stay tuned to sc-l for an early look. In the meantime here are the three articles that set the stage, with another under way as you read this email: A Software Security Framework: Working Towards a Realistic Maturity Model (October 15, 2008) http://www.informit.com/articles/article.aspx?p=1271382 Software Security Top 10 Surprises (December 15, 2008) http://www.informit.com/articles/article.aspx?p=1315431 Nine Things Everybody Does: Software Security Activities from the BSIMM (February 9, 2009) http://www.informit.com/articles/article.aspx?p=1326511 gem company www.cigital.com podcast www.cigital.com/silverbullet podcast www.cigital.com/realitycheck blog www.cigital.com/justiceleague book www.swsec.com On 3/3/09 10:25 AM, "Kenneth van Wyk" wrote: On Mar 3, 2009, at 10:11 AM, Gary McGraw wrote: > Our fearless leader Ken gave a nice presentation on software > security methodologies yesterday at secappdev. I wonder what he > says about the Touchpoints when I'm not in the room?! Thanks for the kind words. What I say about the Touchpoints, Microsoft's SDL, or OWASP's CLASP remains the same whether you're in the room or not. They all offer good points and bad points. I tend to favor a hybrid approach that works well for me, which is what I always recommend to my customers. More importantly, though, I am eager to update the message with what the companies who participated in the BSIMM are actually doing in practice. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Reality Check: EMC Eric Baize
On Mar 3, 2009, at 10:11 AM, Gary McGraw wrote: Our fearless leader Ken gave a nice presentation on software security methodologies yesterday at secappdev. I wonder what he says about the Touchpoints when I'm not in the room?! Thanks for the kind words. What I say about the Touchpoints, Microsoft's SDL, or OWASP's CLASP remains the same whether you're in the room or not. They all offer good points and bad points. I tend to favor a hybrid approach that works well for me, which is what I always recommend to my customers. More importantly, though, I am eager to update the message with what the companies who participated in the BSIMM are actually doing in practice. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Reality Check: EMC Eric Baize
Greetings from Leuven sc-l, Our fearless leader Ken gave a nice presentation on software security methodologies yesterday at secappdev. I wonder what he says about the Touchpoints when I'm not in the room?! The third episode of Reality Check went live this morning. The episode features a conversation with Eric Baize who runs EMC's very impressive software security initiative. EMC is an example of an initiative following their own methodology by borrowing good ideas from SDL and also the Touchpoints. Lots of good stuff about software security practicalities: http://www.cigital.com/realitycheck/show-003/ Don't forget that Reality Check is syndicated by CSO Online (it's a good way to infect upper management with software security ideas). gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___