[SC-L] CfP for 2nd Int. Workshop on Secure Software Engineering
Dear all, I think the following call for papers is highly relevant for readers of this list, so please pardon me to promote an event for the first time: Second International Workshop on Secure Software Engineering (SecSE 2008) In conjunction with ARES 2008 Barcelona, Catalonia, March 4th-7th 2008 http://www.ares-conference.eu/conf/ Call for Papers Introduction In our modern society, software is an integral part of everyday life, and we expect and depend upon software systems to perform correctly. Software security is about ensuring that systems continue to function correctly also under malicious attack. As most systems now are web-enabled, the number of attackers with access to the system increases dramatically and thus the threat scenario changes. The traditional approach to secure a system includes putting up defence mechanisms like IDS and firewalls, but such measures are no longer sufficient by themselves. We need to be able to build better, more robust and more secure systems. Even more importantly, however, we should strive to achieve these qualities in all software systems, not just the ones that need special protection. This workshop will focus on techniques, experiences and lessons learned for engineering secure and dependable software. Topics == Suggested topics include, but are not limited to: - Secure architecture and design - Security in agile software development - Aspect-oriented software development for secure software - Security requirements - Risk management in software projects - Secure implementation - Secure deployment - Testing for security - Quantitative measurement of security properties - Static and dynamic analysis for security - Verification and assurance techniques for security properties - Lessons learned - Security and usability - Teaching secure software development - Experience reports on successfully attuning developers to secure software engineering Important dates: === - Submission Deadline: October 25th 2007 (NOTE: Extended from 10th) - Author Notification: November 30th 2007 - Author Registration: December 15th 2007 - Proceedings Version: January 15th 2008 - Conference/workshop: March 4th - March 7th 2008 Submission Guidelines = Authors are invited to submit research and application papers in IEEE Computer Society Proceedings Manuscripts style (two columns, single-spaced, including figures and references, using 10 fonts, and number each page). Please consult the IEEE CS Author Guidelines at the following web page: http://preview.tinyurl.com/psg2o We solicit the submission of full papers (8 pages) representing original, previously unpublished work. Submitted papers will be carefully evaluated based on originality, significance, technical soundness, and clarity of exposition. Duplicate submissions are not allowed. A submission is considered to be a duplicate submission if it is submitted to other conferences/workshops/journals or if it has been already accepted to be published in other conferences/workshops/journals. Duplicate submissions thus will be automatically rejected without reviews. Contact author must provide the following information: paper title, authors' names, affiliations, postal address, phone, fax, and e-mail address of the author(s), about 200-250 word abstract, and about five keywords and register at our ARES website: http://www.ares-conference.eu/conf/ Submission of a paper implies that should the paper be accepted, at least one of the authors will register for the ARES conference and present the paper in the workshop. Accepted papers will be given guidelines in preparing and submitting the final manuscript(s) together with the notification of acceptance. Note that SecSE 2008 does not require anonymized submissions. Publication === All accepted papers will be published as ISBN proceedings published by the IEEE Computer Society. Organizing committee: = Torbjørn Skramstad, Norwegian University of Science and Technology (NTNU) Lillian Røstad, Norwegian University of Science and Technology (NTNU) Martin Gilje Jaatun, SINTEF ICT, Norway Enquiries to the organizing committee may be sent to: SecSE08 "replace with at-character" gmail.com Program committee = Rubén Alonso, ESI, Spain Ana Cavalli, GET/INT, France Ivan Flechais, University of Oxford, UK Per Håkon Meland, SINTEF ICT, Norway Leon Moonen, Delft University of Technology, Netherlands Khalid Mughal, University of Bergen, Norway Holger Peine, Fraunhofer IESE, Germany Samuel Redwine, James Madison University, USA Chunming Rong, University of Stavanger, Norway Lillian Røstad, NTNU, Norway Christoph Schuba, Sun Microsystems Inc., USA Nahid Shahmehri, Linköping University, Sweden Torbjørn Skramstad, NTNU, Norway Bart De Win, KU Leuven, Belgium Stephen Wolthusen, Royal Hol
[SC-L] University lecture on Sec Sw Eng online
I recently completed a lecture on secure software engineering, and I guess there a quite a few people on this list who could make use of some of the material, whether for their own presentations or simply for teaching themselves. The lecture was given at Kaiserslautern University of Technology as 12 lessons of 90 minutes (each comprising about 35 slides) in English; note that the accompanying student exercise problems are in German, however. The chapters (of varying length, as indicated by their mapping to lessons) are as follows: 01 IT Security and Software Security 02 Fundamental Notions and Definitions 03a Vulnerabilities and Attacks (Part 1) 03b Vulnerabilities and Attacks (Part 2) 04 Security in the Software Development Process 05 Security Requirements Elicitation 06 Threat Analysis 07a Security in Architecture and Design (Part 1) 07b Security in Architecture and Design (Part 2) 08a Secure Coding (Part 1) 08b Secure Coding (Part 2) 09 Quality Assurance 10, 11, 12 Process Models, Usability, and Conclusions You can find all the material at http://www.iese.fraunhofer.de/lectures/peine/materialcourse/ This was the first iteration of my first self-designed lecture; it is certainly not perfect yet (in fact I already have some improvements sketched for the next iteration, such as reorganizing the process material), so criticism is welcome. I know of few comparable lectures world-wide, i.e. university lectures covering security specifically from a software engineering viewpoint; so far, I'm aware of the lectures by Pascal Meunier at Purdue and by Dieter Gollmann at Hamburg-Harburg; if you know of any others, I'd be glad to hear about those, too. Kind regards from Germany, Holger Peine -- Dr. Holger Peine, Project Manager Security Fraunhofer IESE, Fraunhofer-Platz 1, 67663 Kaiserslautern, Germany Phone +49-631-6800-2134, Fax -1899 (shared) http://www.iese.fraunhofer.de PGP key via http://pgp.mit.edu ; fingerprint is 1BFA 30CB E3ED BA99 E7AE 2BBB C126 A592 48EA F9F8 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Need a few slides/data on surging importance of security and source code security
I am sure that quite a few of you already have done or know who has done this non-technical, "mundane" job: I need a few slides with data (e.g. numbers, or maybe historic examples) to convince a management-level audience of a manufacturer of networked appliances who has only a dim view of security of two things: - security is a problem for anybody developing software running on networked hardware, and it is a rapidly growing problem with a clear economic impact - a large part of vulnerabilities stems from bad coding practices, and there are companies that actively and successfully combat this Pointers to relevant web pages would be nearly as nice as finished Powerpoint slides. (Aside: You shouldn't view my request like that of a student asking for someone to steal his homework from: Everyone in our community needs such data in some form or other at some time, and we should all contribute to making everyone in the community look as good as possible in this respect in, to advance our common cause of more secure software. I have contributed to the community, too.) Thanks for your input, Holger Peine -- Dr. Holger Peine, Security and Safety Fraunhofer IESE, Fraunhofer-Platz 1, 67663 Kaiserslautern, Germany Phone +49-631-6800-2134, Fax -1899 (shared) PGP key via http://pgp.mit.edu ; fingerprint is 1BFA 30CB E3ED BA99 E7AE 2BBB C126 A592 48EA F9F8 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] Web Services vs. Minimizing Attack Surface
> [mailto:[EMAIL PROTECTED] On Behalf Of John Wilander > Sent: Dienstag, 15. August 2006 10:03 > Subject: [SC-L] Web Services vs. Minimizing Attack Surface > > Hi! > > The security principle of minimizing your attack surface > (Writing Secure > Code, 2nd Ed.) is all about minimizing open sockets, rpc endpoints, > named pipes etc. that facilitate network communication between > applications. Web services and Service Oriented Architecture on the > other hand are all about exposing functionality to offer > interoperability. I don't see a conflict here: A web service (just as any network-accessible service, no matter whether programmed using sockets, Java RMI, SOAP or whatever) is _intended_ to provide some function to the outside world, so you have to open _some_ door into your system. The advice about minimizing the attack surface is about not opening any doors you don't really need (or worse, didn't even intend to open). Another matter is the question of whether it might be easier to produce a vulnerability when providing some function in the form of a web service as opposed to another technique. One could argue in this direction, e.g. because of creating new attack vectors such as XML injection, or helping the attacker by providing the WSDL. But again, this does not make web services incompatible with the principle of minimal attack surface per se. Kind regards, Holger Peine -- Dr. Holger Peine, Security and Safety Fraunhofer IESE, Fraunhofer-Platz 1, 67663 Kaiserslautern, Germany Phone +49-631-6800-2134, Fax -1899 (shared) PGP key via http://pgp.mit.edu ; fingerprint is 1BFA 30CB E3ED BA99 E7AE 2BBB C126 A592 48EA F9F8 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] "Bumper sticker" definition of secure software
> From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dave Aronson > If you really want to compress that to bumper-sticker size, how about > > "Secure Software: Does what it's meant to. Period." > > This encompasses both "can't be forced NOT to do what it's > meant to do", > and "can't be forced to do what it's NOT meant to do". While I think this is the most concise formulation so far of what most readers on this list would mean and would understand, I think the non-security public does not think of security breaches in terms of software doing more than it was supposed to. My suggestion for a bumper sticker is therefore less conceptually crisp, but perhaps more accessible: "Secure Software: Works even if you try to dupe it" Nice question, though - Holger Peine -- Dr. Holger Peine, Security and Safety Fraunhofer IESE, Fraunhofer-Platz 1, 67663 Kaiserslautern, Germany Phone +49-631-6800-2134, Fax -1299 (shared) PGP key via http://pgp.mit.edu ; fingerprint is 1BFA 30CB E3ED BA99 E7AE 2BBB C126 A592 48EA F9F8 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php