Is complexity really the enemy of software security?

摘要

We are happy to welcome you to the 4th Workshop on Quality of Protection (QoP'08). The workshop this year is on October 27, 2008 in Alexandria, VA, USA and is again held in association with the ACM Computer and Communications Security Conference (CCS'08). >QoP was founded with the objective of advancing research on security metrics and of providing a forum for researchers interested in these metrics to share their work. The need for security metrics runs the gamut of the software industry. Software engineers need a means of measuring the security of their code; vendors and customers need a mechanism for identifying which of two competing products is more secure and whether a single product is growing more secure over time; and businesses need to measure the security of their infrastructure. No single metric will work for all of these different communities---indeed, there is not even a single definition of 'security' that will work for all of these communities. >One challenge and opportunity for this workshop is to help our community avoid the mistakes encountered by similar efforts in other topics, such as software reliability. The body of related literature is large enough---and perhaps we are impatient enough in our search of that literature---that researchers in security metrics can be guilty of reinventing wheels. One strength of QoP is our participants: many of them have deep experience in software reliability and software metrics. They call attention to critical previous work and help our community avoid numerous pitfalls and dead ends. >The continued interest in and enthusiasm for the Quality of Protection workshop is indicative both of the workshop's success and the field's immaturity. We are still a long way from creating metrics that are theoretically sound, empirically validated, and that provide practical value in the real world. The call for papers attracted 19 submissions, and the program committee accepted 5 full papers and 5 short papers based on the criteria of scientific novelty, importance to the field and technical quality. The program for the workshop also includes a panel discussion on security metrics, and a keynote speech by Gunnar Peterson.