[SC-L] Metricon 2.0
SC-Lers, There are several presentations at Metricon by or of interest to SC-L denizens. -gp The agenda for Metricon 2.0 in Boston August 7th has been set. Metricon is co-located with Usenix security conference. The details, travel info, registration, and agenda are here: https://www.securitymetrics.org/content/Wiki.jsp?page=Metricon2.0 There are a limited number of openings so please REGISTER SOON if interested in attending. A summary of the presentations Keynote Debate: ³Do Metrics Matter?² Andrew Jaquith (Yankee Group) & Mike Rothman (SecurityIncite) "Security Meta Metrics--Measuring Agility, Learning, and Unintended Consequence" Russell Cameron Thomas (Meritology) "Security Metrics in Practice: Development of a Security Metric System to Rate Enterprise Software" Fredrick DeQuan Lee and Brian Chess (Fortify) "A Software Security Risk Classification System" Eric Dalci and Robert Hines (Cigital) "Web Application Security Metrics" Jeremiah Grossman (WhiteHat Security) "Operational Security Risk Metrics: Definitions, Calculations, and Visualizations", Brian Laing, Mike Lloyd, and Alain Mayer (Redseal Systems) "Metrics for Network Security Using Attack Graphs: A Position Paper", Anoop Singhal (NIST), Lingyu Wang and Sushil Jaodia (Center for Secure Information Systems, George Mason University) "Software Security Weakness Scoring" Chris Wysopal (Veracode) "Developing secure applications with metrics in mind" Thomas Heyman Christophe Huygens, and Wouter Joosen (K.U.Leuven) "Correlating Automated Static Analysis Alert Density to Reported Vulnerabilities in Sendmail" Michael Gegick and Laurie Williams (North Carolina State University) Practitioner Panel moderated by Becky Bace: Three practitioners from thought leading companies describe how they use metrics to make better decisions. If you know others that would be interested this collaborative workshop, please forward them this email and let them know about this opportunity. Please contact us with any questions. Thanks, Betsy Nichols and Gunnar Peterson Metricon 2.0 Co-Chairs ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] MetriCon 2.0 CFP
> I thought it was about ROSI all over again? Having been to and spoken at > several CISO conferences, I stayed away from this book up to now. > Actually, Andy hits that in the preface "Mercifully, the ROI fad has gone the way of the Macarena" Instead the book (and conference) are about - how to measure security, how to analyze the data, and how to tell a story -gp >> http://www.amazon.com/Security-Metrics-Replacing-Uncertainty-Doubt/dp/032134 >> 9989 >> >> I am halfway through and it is excellent so far, will post a review soon. >> Not sure how the security industry as we know it will get by without fud. > > Pretty good! Thank you very much. The problem of teaching security > practitioners on how to "speak" without FUD, even if they don't see it as > FUD, is just as great. > > Gadi. > >> >> -gp >> >> On 4/24/07 7:32 PM, "Gary McGraw" <[EMAIL PROTECTED]> wrote: >> >>> Plus, check out Andrew Jaquith's excellent book: >>> >>> -Original Message- >>> From: Gunnar Peterson [mailto:[EMAIL PROTECTED] >>> Sent: Tue Apr 24 20:14:53 2007 >>> To: Secure Mailing List >>> Subject: [SC-L] MetriCon 2.0 CFP >>> >>> Last year's conference, MetriCon 1.0 featured a software security metrics >>> track ( http://securitymetrics.org/content/Wiki.jsp?page=Metricon1.0), >>> including: >>> >>> * A Metric for Evaluating Static Analysis Tools - Chess & Tsipenyuk, Fortify >>> * An Attack Surface Metric - Manadhata & Wing, Carnegie-Mellon >>> * "Good enough" Metrics - Epstein, WebMethods >>> * Software Security Patterns and Risk - Heyman & Huygens, U of Leuven >>> * Code Metrics - Chandra, Secure Software >>> >>> -gp >>> >>> Second Workshop on Security Metrics (MetriCon 2.0) < Call for Papers >>> MetriCon 2.0 CFP >>> >>> August 7, 2007 Boston, MA >>> >>> Overview >>> >>> Do you cringe at the subjectivity applied to security in every manner? If >>> so, MetriCon 2.0 may be your antidote to change security from an artistic >>> "matter of opinion" into an objective, quantifiable science. The time for >>> adjectives and adverbs has gone; the time for hard facts and data has come. >>> >>> MetriCon 2.0 is intended as a forum for lively, practical discussion in the >>> area of security metrics. It is a forum for quantifiable approaches and >>> results to problems afflicting information security today, with a bias >>> towards practical, specific implementations. Topics and presentations will >>> be selected for their potential to stimulate discussion in the Workshop. >>> >>> MetriCon 2.0 will be a one-day event, Tuesday, August 7, 2007, co-located >>> with the 16th USENIX Security Symposium in Boston, MA, USA >>> (http://www.usenix.org/events/sec07/). Beginning first thing in the morning, >>> with meals taken in the meeting room, and extending into the evening. >>> Attendance will be by invitation and limited to 60 participants. All >>> participants will be expected to "come with findings" and be willing to >>> address the group in some fashion, formally or not. Preference given to the >>> authors of position papers/presentations who have actual work in progress. >>> >>> Each presenter will have 10-15 minutes to present his or her idea, followed >>> by 15-20 minutes of discussion with the workshop participants. Panels and >>> groups of related presentations may be proposed to present different >>> approaches to selected topics, and will be steered by what sorts of >>> proposals come in response to this Call. >>> >>> >>> Goals and Topics >>> >>> The goal of the workshop is to stimulate discussion of and thinking about >>> security metrics and to do so in ways that lead to realistic, early results >>> of lasting value. Potential attendees are invited to submit position papers >>> to be shared with all. Such position papers are expected to address security >>> metrics in one of the following categories: >>> >>> Benchmarking >>> Empirical Studies >>> Metrics Definitions >>> Financial Planning >>> Security/Risk Modeling >>> Tools, Technologies, Tips, and Tricks >>> Visualization >>> Practical implementations, real world case studies, and detailed models will >>> be preferred over broader models or g
Re: [SC-L] MetriCon 2.0 CFP
On Tue, 24 Apr 2007, Gunnar Peterson wrote: > Book is here > > "Security Metrics: Replacing Fear, Uncertainty, and Doubt" by Andrew Jaquith I thought it was about ROSI all over again? Having been to and spoken at several CISO conferences, I stayed away from this book up to now. > http://www.amazon.com/Security-Metrics-Replacing-Uncertainty-Doubt/dp/032134 > 9989 > > I am halfway through and it is excellent so far, will post a review soon. > Not sure how the security industry as we know it will get by without fud. Pretty good! Thank you very much. The problem of teaching security practitioners on how to "speak" without FUD, even if they don't see it as FUD, is just as great. Gadi. > > -gp > > On 4/24/07 7:32 PM, "Gary McGraw" <[EMAIL PROTECTED]> wrote: > > > Plus, check out Andrew Jaquith's excellent book: > > > > -Original Message- > > From: Gunnar Peterson [mailto:[EMAIL PROTECTED] > > Sent: Tue Apr 24 20:14:53 2007 > > To: Secure Mailing List > > Subject: [SC-L] MetriCon 2.0 CFP > > > > Last year's conference, MetriCon 1.0 featured a software security metrics > > track ( http://securitymetrics.org/content/Wiki.jsp?page=Metricon1.0), > > including: > > > > * A Metric for Evaluating Static Analysis Tools - Chess & Tsipenyuk, Fortify > > * An Attack Surface Metric - Manadhata & Wing, Carnegie-Mellon > > * "Good enough" Metrics - Epstein, WebMethods > > * Software Security Patterns and Risk - Heyman & Huygens, U of Leuven > > * Code Metrics - Chandra, Secure Software > > > > -gp > > > > Second Workshop on Security Metrics (MetriCon 2.0) < Call for Papers > > MetriCon 2.0 CFP > > > > August 7, 2007 Boston, MA > > > > Overview > > > > Do you cringe at the subjectivity applied to security in every manner? If > > so, MetriCon 2.0 may be your antidote to change security from an artistic > > "matter of opinion" into an objective, quantifiable science. The time for > > adjectives and adverbs has gone; the time for hard facts and data has come. > > > > MetriCon 2.0 is intended as a forum for lively, practical discussion in the > > area of security metrics. It is a forum for quantifiable approaches and > > results to problems afflicting information security today, with a bias > > towards practical, specific implementations. Topics and presentations will > > be selected for their potential to stimulate discussion in the Workshop. > > > > MetriCon 2.0 will be a one-day event, Tuesday, August 7, 2007, co-located > > with the 16th USENIX Security Symposium in Boston, MA, USA > > (http://www.usenix.org/events/sec07/). Beginning first thing in the morning, > > with meals taken in the meeting room, and extending into the evening. > > Attendance will be by invitation and limited to 60 participants. All > > participants will be expected to "come with findings" and be willing to > > address the group in some fashion, formally or not. Preference given to the > > authors of position papers/presentations who have actual work in progress. > > > > Each presenter will have 10-15 minutes to present his or her idea, followed > > by 15-20 minutes of discussion with the workshop participants. Panels and > > groups of related presentations may be proposed to present different > > approaches to selected topics, and will be steered by what sorts of > > proposals come in response to this Call. > > > > > > Goals and Topics > > > > The goal of the workshop is to stimulate discussion of and thinking about > > security metrics and to do so in ways that lead to realistic, early results > > of lasting value. Potential attendees are invited to submit position papers > > to be shared with all. Such position papers are expected to address security > > metrics in one of the following categories: > > > > Benchmarking > > Empirical Studies > > Metrics Definitions > > Financial Planning > > Security/Risk Modeling > > Tools, Technologies, Tips, and Tricks > > Visualization > > Practical implementations, real world case studies, and detailed models will > > be preferred over broader models or general ideas. > > > > How to Participate > > > > Submit a short position paper or description of work done/ongoing. Your > > submission must be no longer than five(5) paragraphs or presentation slides. > > Author names and affiliations should appear first in/on the submission. > > Submissions may be in PDF, PowerPoint, HTML,
Re: [SC-L] MetriCon 2.0 CFP
You know its a little off topic - but I'd kill for a set of metrics around the effectiveness/efficiency of a SOC :) Anyone got any ideas? The usual "events per person" type metrics are backwards (good security means less events so lower "efficiency" Thanks Bret ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] MetriCon 2.0 CFP
Plus, check out Andrew Jaquith's excellent book: -Original Message- From: Gunnar Peterson [mailto:[EMAIL PROTECTED] Sent: Tue Apr 24 20:14:53 2007 To: Secure Mailing List Subject: [SC-L] MetriCon 2.0 CFP Last year's conference, MetriCon 1.0 featured a software security metrics track ( http://securitymetrics.org/content/Wiki.jsp?page=Metricon1.0), including: * A Metric for Evaluating Static Analysis Tools - Chess & Tsipenyuk, Fortify * An Attack Surface Metric - Manadhata & Wing, Carnegie-Mellon * "Good enough" Metrics - Epstein, WebMethods * Software Security Patterns and Risk - Heyman & Huygens, U of Leuven * Code Metrics - Chandra, Secure Software -gp Second Workshop on Security Metrics (MetriCon 2.0) < Call for Papers MetriCon 2.0 CFP August 7, 2007 Boston, MA Overview Do you cringe at the subjectivity applied to security in every manner? If so, MetriCon 2.0 may be your antidote to change security from an artistic "matter of opinion" into an objective, quantifiable science. The time for adjectives and adverbs has gone; the time for hard facts and data has come. MetriCon 2.0 is intended as a forum for lively, practical discussion in the area of security metrics. It is a forum for quantifiable approaches and results to problems afflicting information security today, with a bias towards practical, specific implementations. Topics and presentations will be selected for their potential to stimulate discussion in the Workshop. MetriCon 2.0 will be a one-day event, Tuesday, August 7, 2007, co-located with the 16th USENIX Security Symposium in Boston, MA, USA (http://www.usenix.org/events/sec07/). Beginning first thing in the morning, with meals taken in the meeting room, and extending into the evening. Attendance will be by invitation and limited to 60 participants. All participants will be expected to "come with findings" and be willing to address the group in some fashion, formally or not. Preference given to the authors of position papers/presentations who have actual work in progress. Each presenter will have 10-15 minutes to present his or her idea, followed by 15-20 minutes of discussion with the workshop participants. Panels and groups of related presentations may be proposed to present different approaches to selected topics, and will be steered by what sorts of proposals come in response to this Call. Goals and Topics The goal of the workshop is to stimulate discussion of and thinking about security metrics and to do so in ways that lead to realistic, early results of lasting value. Potential attendees are invited to submit position papers to be shared with all. Such position papers are expected to address security metrics in one of the following categories: Benchmarking Empirical Studies Metrics Definitions Financial Planning Security/Risk Modeling Tools, Technologies, Tips, and Tricks Visualization Practical implementations, real world case studies, and detailed models will be preferred over broader models or general ideas. How to Participate Submit a short position paper or description of work done/ongoing. Your submission must be no longer than five(5) paragraphs or presentation slides. Author names and affiliations should appear first in/on the submission. Submissions may be in PDF, PowerPoint, HTML, or plaintext email and must be submitted to MetriCon AT securitymetrics.org. Presenters will be notified of acceptance by June 22, 2007 and expected to provide materials for distribution by July 22, 2007. All slides and position papers will be made available to participants at the workshop. No formal proceedings are intended. Plagiarism constitutes dishonesty. The organizers of this Workshop as well as USENIX prohibit these practices and will take appropriate action if dishonesty of this sort is found. Submission of recent, previously published work as well as simultaneous submissions to multiple venues is acceptable but please so indicate in your proposal. Location MetriCon 2.0 will be co-located with the 16th USENIX Security Symposium (Security ¹07). (http://www.usenix.org/events/sec07/) Cost $200 all-inclusive of meeting space, materials preparation, and meals for the day. Important Dates Requests to participate: by May 11, 2007 Notification of acceptance: by June 22, 2007 Materials for distribution: by July 22, 2007 Workshop Organizers Fred Cohen, Fred Cohen & Associates Jeremy Epstein, webMethods Dan Geer, Geer Risk Services Andrew Jaquith, Yankee Group Elizabeth Nichols, ClearPoint Metrics, Co-Chair Gunnar Peterson, Arctec Group, Co-Chair Russell Cameron Thomas, Meritology ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.
Re: [SC-L] MetriCon 2.0 CFP
Book is here "Security Metrics: Replacing Fear, Uncertainty, and Doubt" by Andrew Jaquith http://www.amazon.com/Security-Metrics-Replacing-Uncertainty-Doubt/dp/032134 9989 I am halfway through and it is excellent so far, will post a review soon. Not sure how the security industry as we know it will get by without fud. -gp On 4/24/07 7:32 PM, "Gary McGraw" <[EMAIL PROTECTED]> wrote: > Plus, check out Andrew Jaquith's excellent book: > > -Original Message- > From: Gunnar Peterson [mailto:[EMAIL PROTECTED] > Sent: Tue Apr 24 20:14:53 2007 > To: Secure Mailing List > Subject: [SC-L] MetriCon 2.0 CFP > > Last year's conference, MetriCon 1.0 featured a software security metrics > track ( http://securitymetrics.org/content/Wiki.jsp?page=Metricon1.0), > including: > > * A Metric for Evaluating Static Analysis Tools - Chess & Tsipenyuk, Fortify > * An Attack Surface Metric - Manadhata & Wing, Carnegie-Mellon > * "Good enough" Metrics - Epstein, WebMethods > * Software Security Patterns and Risk - Heyman & Huygens, U of Leuven > * Code Metrics - Chandra, Secure Software > > -gp > > Second Workshop on Security Metrics (MetriCon 2.0) < Call for Papers > MetriCon 2.0 CFP > > August 7, 2007 Boston, MA > > Overview > > Do you cringe at the subjectivity applied to security in every manner? If > so, MetriCon 2.0 may be your antidote to change security from an artistic > "matter of opinion" into an objective, quantifiable science. The time for > adjectives and adverbs has gone; the time for hard facts and data has come. > > MetriCon 2.0 is intended as a forum for lively, practical discussion in the > area of security metrics. It is a forum for quantifiable approaches and > results to problems afflicting information security today, with a bias > towards practical, specific implementations. Topics and presentations will > be selected for their potential to stimulate discussion in the Workshop. > > MetriCon 2.0 will be a one-day event, Tuesday, August 7, 2007, co-located > with the 16th USENIX Security Symposium in Boston, MA, USA > (http://www.usenix.org/events/sec07/). Beginning first thing in the morning, > with meals taken in the meeting room, and extending into the evening. > Attendance will be by invitation and limited to 60 participants. All > participants will be expected to "come with findings" and be willing to > address the group in some fashion, formally or not. Preference given to the > authors of position papers/presentations who have actual work in progress. > > Each presenter will have 10-15 minutes to present his or her idea, followed > by 15-20 minutes of discussion with the workshop participants. Panels and > groups of related presentations may be proposed to present different > approaches to selected topics, and will be steered by what sorts of > proposals come in response to this Call. > > > Goals and Topics > > The goal of the workshop is to stimulate discussion of and thinking about > security metrics and to do so in ways that lead to realistic, early results > of lasting value. Potential attendees are invited to submit position papers > to be shared with all. Such position papers are expected to address security > metrics in one of the following categories: > > Benchmarking > Empirical Studies > Metrics Definitions > Financial Planning > Security/Risk Modeling > Tools, Technologies, Tips, and Tricks > Visualization > Practical implementations, real world case studies, and detailed models will > be preferred over broader models or general ideas. > > How to Participate > > Submit a short position paper or description of work done/ongoing. Your > submission must be no longer than five(5) paragraphs or presentation slides. > Author names and affiliations should appear first in/on the submission. > Submissions may be in PDF, PowerPoint, HTML, or plaintext email and must be > submitted to MetriCon AT securitymetrics.org. > > Presenters will be notified of acceptance by June 22, 2007 and expected to > provide materials for distribution by July 22, 2007. All slides and position > papers will be made available to participants at the workshop. No formal > proceedings are intended. Plagiarism constitutes dishonesty. The organizers > of this Workshop as well as USENIX prohibit these practices and will take > appropriate action if dishonesty of this sort is found. Submission of > recent, previously published work as well as simultaneous submissions to > multiple venues is acceptable but please so indicate in your proposal. > > Location > > MetriCon 2.0 will be co-located with the 16th USENIX Security Symposium > (Security ¹
[SC-L] MetriCon 2.0 CFP
Last year's conference, MetriCon 1.0 featured a software security metrics track ( http://securitymetrics.org/content/Wiki.jsp?page=Metricon1.0), including: * A Metric for Evaluating Static Analysis Tools - Chess & Tsipenyuk, Fortify * An Attack Surface Metric - Manadhata & Wing, Carnegie-Mellon * "Good enough" Metrics - Epstein, WebMethods * Software Security Patterns and Risk - Heyman & Huygens, U of Leuven * Code Metrics - Chandra, Secure Software -gp Second Workshop on Security Metrics (MetriCon 2.0) Call for Papers MetriCon 2.0 CFP August 7, 2007 Boston, MA Overview Do you cringe at the subjectivity applied to security in every manner? If so, MetriCon 2.0 may be your antidote to change security from an artistic "matter of opinion" into an objective, quantifiable science. The time for adjectives and adverbs has gone; the time for hard facts and data has come. MetriCon 2.0 is intended as a forum for lively, practical discussion in the area of security metrics. It is a forum for quantifiable approaches and results to problems afflicting information security today, with a bias towards practical, specific implementations. Topics and presentations will be selected for their potential to stimulate discussion in the Workshop. MetriCon 2.0 will be a one-day event, Tuesday, August 7, 2007, co-located with the 16th USENIX Security Symposium in Boston, MA, USA (http://www.usenix.org/events/sec07/). Beginning first thing in the morning, with meals taken in the meeting room, and extending into the evening. Attendance will be by invitation and limited to 60 participants. All participants will be expected to "come with findings" and be willing to address the group in some fashion, formally or not. Preference given to the authors of position papers/presentations who have actual work in progress. Each presenter will have 10-15 minutes to present his or her idea, followed by 15-20 minutes of discussion with the workshop participants. Panels and groups of related presentations may be proposed to present different approaches to selected topics, and will be steered by what sorts of proposals come in response to this Call. Goals and Topics The goal of the workshop is to stimulate discussion of and thinking about security metrics and to do so in ways that lead to realistic, early results of lasting value. Potential attendees are invited to submit position papers to be shared with all. Such position papers are expected to address security metrics in one of the following categories: Benchmarking Empirical Studies Metrics Definitions Financial Planning Security/Risk Modeling Tools, Technologies, Tips, and Tricks Visualization Practical implementations, real world case studies, and detailed models will be preferred over broader models or general ideas. How to Participate Submit a short position paper or description of work done/ongoing. Your submission must be no longer than five(5) paragraphs or presentation slides. Author names and affiliations should appear first in/on the submission. Submissions may be in PDF, PowerPoint, HTML, or plaintext email and must be submitted to MetriCon AT securitymetrics.org. Presenters will be notified of acceptance by June 22, 2007 and expected to provide materials for distribution by July 22, 2007. All slides and position papers will be made available to participants at the workshop. No formal proceedings are intended. Plagiarism constitutes dishonesty. The organizers of this Workshop as well as USENIX prohibit these practices and will take appropriate action if dishonesty of this sort is found. Submission of recent, previously published work as well as simultaneous submissions to multiple venues is acceptable but please so indicate in your proposal. Location MetriCon 2.0 will be co-located with the 16th USENIX Security Symposium (Security ¹07). (http://www.usenix.org/events/sec07/) Cost $200 all-inclusive of meeting space, materials preparation, and meals for the day. Important Dates Requests to participate: by May 11, 2007 Notification of acceptance: by June 22, 2007 Materials for distribution: by July 22, 2007 Workshop Organizers Fred Cohen, Fred Cohen & Associates Jeremy Epstein, webMethods Dan Geer, Geer Risk Services Andrew Jaquith, Yankee Group Elizabeth Nichols, ClearPoint Metrics, Co-Chair Gunnar Peterson, Arctec Group, Co-Chair Russell Cameron Thomas, Meritology ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
