Metricon 2.0 agenda is now online for the day before Usenix security in Boston in August. We will work on moving infosec towards a more scientific approach rather than an accumulatin set of axioms. The format is a collaborative workshop with shorter presentations and more open discussion. Read the summary from the Metricon 1.0 event here.
The day starts with a debate “Do Metrics Matter?” between Pro: Andrew Jaquith (Yankee Group) and Con: Mike Rothman (SecurityIncite)
The talks that are currently set are:
"Security Meta Metrics--Measuring Agility, Learning, and Unintended Consequence"
Russell Cameron Thomas (Meritology)
"Security Metrics in Practice: Development of a Security Metric System to Rate Enterprise Software"
Frederick Lee and Brian Chess (Fortify)
"A Software Security Risk Classification System"
Eric Dalci and Robert Hines (Cigital)
"Web Application Security Metrics"
Jeremiah Grossman (WhiteHat Security)
"Operational Security Risk Metrics: Definitions, Calculations, and Visualiztions", Brian Laing, Mike Llyod, and Alain Mayer (Redseal Systems)
"Metrics for Network Security Using Attack Graphs: A Position Paper", Anoop Singhal (NIST), Lingyu Wang and Sushil Jaodia (Center for Secure Information Systems, George Mason University)
"Software Security Weakness Scoring"
Chris Wysopal (Veracode)
"Developing secure applications with metrics in mind"
Thomas Heyman Christophe Huygens, and Wouter Joosen (K.U.Leuven)
"Correlating Automated Static Analysis Alert Density to Reported Vulnerabilities in Sendmail"
Michael Gegick and Laurie Williams (North Carolina State University)
There is a practitioner panel moderated by Becky Bace
And finally at the end of the day we have planned a "Stump the Chumps" session where security metricians spin the hamster wheel of pain.
Comments