Agenda

August 7, 2007 (Boston)

8:00: Breakfast Provided in the Room

8.30 - 9.00 Keynote Debate: “Do Metrics Matter?”
Pro: Andrew Jaquith (Yankee Group)
Con: Mike Rothman (SecurityIncite)
Immoderator: EA Nichols (PlexLogic)

9.00 - 10.30 Track 1: Chair: Gunnar Peterson (Arctec Group)

"Security Meta Metrics--Measuring Agility, Learning, and Unintended Consequence"
Russell Cameron Thomas (Meritology) Slides

"Security Metrics in Practice: Development of a Security Metric System to Rate Enterprise Software"
Fredrick DeQuan Lee and Brian Chess (Fortify) Slides

"A Software Security Risk Classification System"
Eric Dalci and Robert Hines (Cigital) Slides

11.00 - 12.30 Track 2: Chair: Jeremy Epstein (webMethods)

"Web Application Security Metrics"
Jeremiah Grossman (WhiteHat Security) Slides

"Operational Security Risk Metrics: Definitions, Calculations, and Visualiztions", Brian Laing, Mike Lloyd, and Alain Mayer (Redseal Systems) Slides

"Metrics for Network Security Using Attack Graphs: A Position Paper", Anoop Singhal (NIST), Lingyu Wang and Sushil Jajodia (Center for Secure Information Systems, George Mason University) Slides

12:30 - 1:30: Lunch Provided in the Room

1.30 - 3.00 Track 3: Chair: Adam Shostack

"Software Security Weakness Scoring"
Chris Wysopal (Veracode) Slides

"Developing secure applications with metrics in mind"
Thomas Heyman Christophe Huygens, and Wouter Joosen (K.U.Leuven) Slides

"Correlating Automated Static Analysis Alert Density to Reported Vulnerabilities in Sendmail"
Michael Gegick and Laurie Williams (North Carolina State University) Slides

3.30 – 4:30 Panel
Practitioner Panel moderated by Becky Bace: Three practitioners from thought leading companies describe how they use metrics to make better decisions. Slides

4:30 - 6:00 Debate: Stump the Chumps
Security metricians spin the hamster wheel of pain

6:00 - 9:00 Dinner Provided in the Room


Dan Geer's Digest for the MetriCon 2.0 meeting (and his MetriCon 1.0 Digest)

The original call for papers.

Attachments