9:00-10:00 Keynote Talk
10:30-12:00 Paper Session
Session Chair: Stephan Neuhaus, ETH, Zurich
- Riccardo Scandariato and James Walden. Predicting vulnerable classes in an Android application.
- Satoshi Kai, Tomohiro Shigemoto, Tetsuro Kito, Satoshi Takemoto, and Tadashi Kaji Development of Qualification of Security Status Suitable for Cloud Computing System.
- Jeffrey Stuckman and James Purtilo Comparing and applying attack surface metrics.
- Aram Hovsepyan, Riccardo Scandariato, Wouter Joosen, and James Walden Software Vulnerability Prediction using Text Analysis Techniques.
13:30-15:00 Panel: Data Sources and How Much to Trust Them
Moderator: Stephan Neuhaus, ETH, Zurich
Panelists: Peter Gutmann, Fabio Massacci, Laurie Williams
One of the biggest problems in empirical studies about computer security is the data. Usually you can't control the data acquisition process yourself; instead, you need to take other people's work and use that. For example, you could be using Mozilla Foundation Security Advisories, or the National Vulnerability Database. Then the question is, to what extent can you trust this information to be complete and unbiased? The answer is that you cannot, at least not without knowing the process by which these databases are created. For example, many researchers have for years believed that the NVD constitutes some kind of ground truth. If that were true, then one would expect that entries that have been in the NVD for some time will in general not change. Work currently being done here at ETH indicates, however, that the amount of change, or churn, in the NVD is quite high, and that even very old entries get changed!
15:30-16:30 Invited Talk: Risk Analysis for Container Transport
Authors: Harald Sauff, Dieter Gollmann [abstract]
16:30-17:30 Wrap Up
In this session, anyone can present on work in progress or bring up questions or problems for the workshop.