Let me add this: static analysis for both security and reliability is in the midst of a golden age. There's significant interest from academia, vendors big and small, and for the first time ever, thousands of programmers and security professionals. S&P is an excellent forum for talking about what's going on from any and all of those perspectives. It doesn't move at the speed of twitter, so you can actually present a complete and coherent thought, but it's not nearly as stuffy as the IEEE Proceedings on Things That Happened a Decade Ago.
If you have an idea for a submission that you'd like to discuss, please feel free to get in touch with Chris or with me. No need to wait for the August 15 deadline for abstracts. Brian From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Chris Wysopal Sent: Wednesday, July 06, 2011 2:03 PM To: Secure Code Mailing List (SC-L@securecoding.org) Subject: [SC-L] CFP: IEEE Security & Privacy issue on Software Static Analysis Call for Papers IEEE Security & Privacy Software Static Analysis Abstract submissions due: 15 Aug. 2011 Final submissions due: 15 Sept. 2011 Publication date: May/June 2012 Secure and reliable software is hard to build, but the costs of failure are steep. Data breaches caused by attackers exploiting vulnerabilities in software made many headlines in 2011 and show no sign of abating. Sony, RSA Security, and PBS were compromised, their intellectual property stolen, and the privacy of their customers impacted; all due to vulnerabilities in software. Software reliability problems have led to bungled lotteries, medical device failures, the early release of convicted felons, and enumerable other problems. The precise details of software failures are often scarce, but it's clear that the defects underlying many software problems could have been identified earlier using static analysis. As software platforms proliferate, from mobile devices to the cloud to embedded devices such as the smart grid, it will be even more difficult to get software right. Will static analysis be up for the challenge? This special issue of IEEE Security & Privacy will address both static analysis technology and the challenges of using it during software development and acquisition. Is it possible to apply static analysis to the wide range of software assurance challenges that exist today? We solicit articles from: * individuals building static analysis technology * individuals integrating static analysis into software development methodologies and processes * organizations implementing software security programs that used static analysis to manage software risk organization-wide government agencies and industry regulators who use static analysis to manage software risk Potential submission topics include (but are not limited to): * How can we build more useful static analysis technology: reducing analysis errors, improving scalability, or making static analysis easier to use? * What are the benefits of integrating static analysis with other software development technologies or processes such as dynamic testing or threat modeling? * Can static analysis results be integrated with other information sources such as network analysis, firewall logs, or intrusion detection? * How can an organization scale static analysis across hundreds of software teams and projects? * Using static analysis to understand the risk in software you didn't build. * Using static analysis to find privacy problems. * Can static analysis be used to help educate software developers? * How do modern programming languages, frameworks, and trends impact the effectiveness of static analysis? * Can static analysis be the basis for automatically repairing some kinds of vulnerabilities? Submission Guidelines Submissions will be subject to the IEEE Computer Society's peer-review process. Articles should be at most 6,000 words, with a maximum of 15 references, and should be understandable to a broad audience of people interested in security and privacy. The writing style should be down to earth, practical, and original. Authors should not assume that the audience will have specialized experience in a particular subfield. All accepted articles will be edited according to the IEEE Computer Society style guide. Submit your papers to ScholarOne athttps://mc.manuscriptcentral.com/cs-ieee. Questions? Contact the Guest Editors: Brian Chess (ch...@hp.com)<javascript:location.href='mailto:'+String.fromCharCode(99,104,101,115,115,64,104,112,46,99,111,109)+'?'> and Chris Wysopal (cwyso...@veracode.com)<javascript:location.href='mailto:'+String.fromCharCode(99,119,121,115,111,112,97,108,64,118,101,114,97,99,111,100,101,46,99,111,109)+'?'> Chris Wysopal CTO & Co-founder Office: 781-418-3823/Cell: 617-501-3277/Fax: 781-425-6039 www.veracode.com<http://www.veracode.com>
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
