Waikiki, Honolulu, Hawaii, 22 May 2011
A one day workshop in conjunction with the 33rd International Conference on Software Engineering (ICSE 2011); Stay tuned with our RSS feed!
Nowadays software systems are as flexible as ever: they adapt themselves to the context of operation and their evolving environments. Nevertheless, they should always operate in a secure manner by preserving privacy and trust among the involved parties, even if the dynamic and decentralized nature of these systems poses several challenges in order to protect the exchange of data or services and guarantee the fairness of the system as a whole. Software is at core of most of the business transactions and its smart integration in an industrial setting may be the competitive advantage even when the core competence is outside the ICT field. As a result, the revenues of a firm depend directly on several complex software-based systems. Thus, stakeholders and users should be able to trust these systems to provide data and elaborations with a degree of confidentiality, integrity, and availability compatible with their needs and software engineers have to be familiar with the risks their design choices pose. All in all almost every application has today some kind of security requirement even if its use is not to be considered critical.
Moreover, the pervasiveness of software products in the creation of critical infrastructures has raised the value of trustworthiness and new efforts should be dedicated to achieve it. The cases in which no one has the complete control on all the components are increasingly common and relevant: for example, "mashup" applications pose several new security challenges since the designers could be partially unaware of the information exchanges that the users introduce into the system logic.
Security concerns should be taken into account as early as possible, and not added to systems as an after-thought: this is extremely expensive and it may compromise the design integrity in critical ways. Security features such as cryptographic protocols and tamper resistant hardware cannot be simply added on to transform an insecure product to a secure one. Security solutions and patterns are hard to reuse in different contexts, they crosscut all the system components and a single vulnerability alone might compromise the trustworthiness of the whole system. Thus, not surprisingly, several security holes are recurrent, notwithstanding the experience accumulated by security research in the last decades. Software engineers and practitioners should assimilate basic security techniques and discover new techniques for integrating them in the current practice, while understanding associated costs and benefits. Several well-established software engineering disciplines such as verification, testing, program analysis, process support, configuration management, requirement engineering, etc. could contribute to improving security solutions that sometimes lack a coherent methodological approach. Or, as it is the case of security standards proposed by the Common Criteria or BS7799, present challenges that prevent integration with mainstream software engineering practice. Moreover, applications are increasingly deployed in unanticipated environments and even the "attack surface" of an application can be difficult to assess at design time, for example in the now popular case of virtual hosting in which guest applications share physical resources that might open unwanted communication channels.
The SESS workshop aims at providing a venue for software engineers and security researchers to exchange ideas and techniques. Past editions (first, second, third, fourth, fifth, and sixth) were also held in conjunction of ICSE. Selected and extended version of the papers from the SESS07 and SESS08 have been published (after publisher's rigorous peer review process) to the special issue of the Information and Software Technology -- The Elsevier Journal, Vol. 51, Issue 7, July 2009; and the special issue of the Computers and Security -- The Elsevier Journal, Vol. 29, Issue 3, May 2010, respectively.
Areas of interest include, but are not limited to:
Workshop papers must be limited to 7 pages in the ICSE
two column format. and should be submitted through the SESS'11
We're also interested in having 1-2 presentations about the ideas of curricula development and experience reports on teaching computer security in software engineering courses.
We also solicit posters (with a page of abstract) and should be submitted to one of the workshop chairs. Accepted posters and a page of abstract will be displayed in the workshop for discussions.
The workshop will be organized with the following contents. The workshop will start with an invited talk and then the paper presentation (long and short) with Q/A. In the past, the workshop maintained a very interactive and dynamic atmosphere in the discussion of interesting and important topics. Also, a poster session throughout the workshop significantly promoted the dynamics of the interactive discussion. The session chair will wrap up with the discussion of research challenges that were raised during presentations.