Workshop program

8:45-9:00

Welcome

9:00-10:00 Keynote Talk

Peter Gutmann, From Revenue Assurance to Assurance: The Importance of Measurement in Computer Security

10:00-10:30

Coffee Break

10:30-12:00 Paper Session

Session Chair: Stephan Neuhaus, ETH, Zurich

  • Riccardo Scandariato and James Walden. Predicting vulnerable classes in an Android application.
  • Satoshi Kai, Tomohiro Shigemoto, Tetsuro Kito, Satoshi Takemoto, and Tadashi Kaji Development of Qualification of Security Status Suitable for Cloud Computing System.
  • Jeffrey Stuckman and James Purtilo Comparing and applying attack surface metrics.
  • Aram Hovsepyan, Riccardo Scandariato, Wouter Joosen, and James Walden Software Vulnerability Prediction using Text Analysis Techniques.

12:00-13:30

Lunch

13:30-15:00 Panel: Data Sources and How Much to Trust Them


Moderator: Stephan Neuhaus, ETH, Zurich
Panelists: Peter Gutmann, Fabio Massacci, Laurie Williams

One of the biggest problems in empirical studies about computer security is the data. Usually you can't control the data acquisition process yourself; instead, you need to take other people's work and use that. For example, you could be using Mozilla Foundation Security Advisories, or the National Vulnerability Database. Then the question is, to what extent can you trust this information to be complete and unbiased? The answer is that you cannot, at least not without knowing the process by which these databases are created. For example, many researchers have for years believed that the NVD constitutes some kind of ground truth. If that were true, then one would expect that entries that have been in the NVD for some time will in general not change. Work currently being done here at ETH indicates, however, that the amount of change, or churn, in the NVD is quite high, and that even very old entries get changed!

15:00-15:30

Coffee Break

15:30-16:30 Invited Talk: Risk Analysis for Container Transport

Authors: Harald Sauff, Dieter Gollmann [abstract]

16:30-17:30 Wrap Up

In this session, anyone can present on work in progress or bring up questions or problems for the workshop.