NIST Workshop on Software Measures and Metrics to Reduce Security Vulnerabilities

The Federal Cybersecurity Research and Development Strategic Plan seeks to fundamentally alter the dynamics of security, reversing adversaries' asymmetrical advantages. Achieving this reversal is the mid-term goal of the plan, which calls for "sustainably secure systems development and operation." Part of the mid-term (3-7 years) goal is "the design and implementation of software, firmware, and hardware that are highly resistant to malicious cyber activities ..." and reduce the number of vulnerabilities in software by orders of magnitude. Measures of software play an important role.

Industry requires evidence to tell how vulnerable a piece of software is, what techniques are most effective in developing software with far fewer vulnerabilities, determine the best places to deploy countermeasures, or take any of a number of other actions. This evidence comes from measuring, in the broadest sense, or assessing properties of software. With useful metrics, it is straight-forward to determine which software development technologies or methodologies lead to sustainably secure systems.

The goal of this workshop is to gather ideas on how the Federal Government can best use taxpayer money to identify, improve, package, deliver, or boost the use of software measures and metrics to significantly reduce vulnerabilities. We call for position statements from one to three paragraph long. Position statements may be on any subject like the following:

• existing measures of software that can make a difference in three to seven years,
• means of validating software measures or confirming their efficacy (meta-measurements),
• quantities (properties) in software that can be measured,
• standards (in both étalon and norme senses) needed for software measurement,
• cost vs. benefit of software measurements,
• surmountable barriers to adoption of measures and metrics,
• areas or conditions of applicability (or non-applicability) of measures,
• software measurement procedures (esp. automated ones), or
• sources of variability or uncertainty in software metrics or measures.

The output of this workshop and other efforts is a plan for how best the Federal Government can employ taxpayer money to significantly curtail software vulnerabilities in the mid-term.

Submissions

Position statements must be one to three paragraphs long. A "position" may include articulations of a problem, an issue to discuss, as well as a solution or opinion. The program committee will review the position statements, and invite some to make a presentation. Position statements will be published if agreed to by both the author and the program committee. Send statements to Elizabeth Fong efong [at] nist.gov (efong[at]nist[dot]gov) by 22 May 2016.

We will send invitations to submitters by 8 June 2016.

Important Dates

• 22 May: deadline to submit statements
• 8 June: invitations to present sent
• 27 June: deadline to register (no on-site registration)
• 12 July: Workshop