SCOPE

The CERT^® Software, System and Information Security (CSSIS) Cluster is a composition of two related minitracks from the Software Technology and Internet and the Digital Economy tracks. This cluster focuses on the security issues facing software developers and on implementation strategies. The following are descriptions of the minitracks.

The CERT Software Application Security (CSAS) Minitrack

This minitrack focuses on the research and automation techniques required to develop secure software systems that do not compromise other system properties such as performance or reliability. Current security engineering methods are demonstrably inadequate because software vulnerabilities are being discovered at the rate of more than 4,000 per year. These vulnerabilities are caused by software designs and implementations that do not adequately protect systems and by development practices that do not focus sufficiently on eliminating implementation defects that result in security flaws. An opportunity exists for systematic improvement that can lead to secure software applications and implementations.

The Cyber Threats, Emerging Risks, and Systemic Concerns (CTERSC) Minitrack

This minitrack addresses issues related to detecting, mitigating, and preventing the threat of computer-based attacks and operational failures. Papers that address improving the security of computer-reliant organizations from these threats through technical, organizational, or behavioral change are encouraged. These may include simulation studies, case-based research, empirical studies, and other applications of quantitative and qualitative methods. Contributions that rely on a perspective that is systemic and holistic are especially appreciated.

The following topics are appropriate for research papers in the CSISS Cluster:

• static analysis tools and techniques for detecting security flaws and software vulnerabilities in source or binary code
• dynamic analysis tools for detecting security flaws and software vulnerabilities in source or binary code
• model checking tools for detecting security flaws and software vulnerabilities in software systems
• software architectures and designs for securing against denial-of-service attacks and other software exploits
• coding practices for improved security and secure library implementations
• computational security engineering
• other tools and techniques for reducing or eliminating vulnerabilities during the development and maintenance
• identifying modes of misuse
• applications of access policies
• analysis of known and unknown modes of attack
• separating anomalous from routine behavior
• detecting and mitigating insider threats
• modeling risks and approaches to mitigation
• teaching and training security and business managers about the risks of cyber-attacks
• the economics of information security
• creating channels and techniques to share confidential information
• modeling and theory building of security issues
• unifying security and safety models

PAPER REVIEW AND PROCEEDINGS PUBLICATION

Papers in each of the HICSS tracks frequently make significant contributions to the application of information systems technology. All papers submitted to HICSS are independently reviewed in a double-blind process by three individuals who are selected for their respective expertise and active involvement in the field of research for the paper(s) under consideration.

Acceptance rates vary from year to year, but have averaged approximately 50% during the past few years. There may be lower rates in mature fields and slightly higher rates when a new area of research is specifically nurtured in its infancy. After an HICSS conference, many papers are revised or extended and republished in various journals, transactions, and monographs, or may appear as chapters in books. All accepted papers become part of the Proceedings of the Hawai'i International Conference on System Sciences that are published and distributed by the IEEE Computer Society and carried on the IEEE Digital Library, Xplore.

Each year's papers are published on a CD-ROM that is distributed at each conference as part of the conference registration material. Prior to the conference, minitrack chairs nominate candidates for a Best Paper Award (noted in the conference program). Judging for these awards is conducted by panel of judges in each track, with winners announced on the last day of the conference.

INSTRUCTIONS FOR PAPER SUBMISSION

• HICSS papers must contain original material not previously published nor currently submitted elsewhere.
• It is recommended that authors contact the minitrack chair(s) by email for guidance regarding appropriate content.
• HICSS will conduct double-blind reviews of each submitted paper.
• Submit full papers by June 15, adhering to detailed author instructions found on the HICSS web site.

IMPORTANT 2007 DATES

Abstracts are required for submission to this cluster or its minitracks. Please submit abstracts to the cluster chairs at cssis@cert.org by June 1st. Please contact the cluster chairs for further guidance and indication of appropriate content at any time.

• June 1: Authors should submit an abstract of their paper by this date to the cluster chairs (cssis@cert.org).
• June 15: Authors submit full papers by this date, following the author instructions found on the HICSS web site. All papers should be submitted in double-column publication format and are limited to 10 pages, including diagrams and references. HICSS papers undergo a double-blind review (June 15 - August 15).
• August 15: Acceptance notices are sent to authors. At this time, at least one author of an accepted paper should begin fiscal and travel arrangements to attend the conference to present the paper.
• September 15: Authors submit the final version of papers following submission instructions posted on the HICSS web site. At least one author of each paper should register by this date with specific plans to attend the conference.
• October 2: Papers without at least one registered author will be pulled from the publication process; authors will be notified.
• December 1: This is the deadline to guarantee your hotel reservation at the conference rate. The conference rate will be granted after this date only if rooms are available.
• December 15: There will be no refund for cancellation of registration after this date.

CO-CHAIRS OF THE CSSIS CLUSTER

Guido Schryen—RWTH Aachen University

Jason A. Rafail—CERT Coordination Center (CERT/CC), Software Engineering Institute, Carnegie Mellon University

Address email for the cluster chairs to cssis@cert.org.

CO-CHAIRS OF THE CSAS MINITRACK

Jason A. Rafail—CERT/CC, Software Engineering Institute, Carnegie Mellon University

Robert C. Seacord—CERT/CC, Software Engineering Institute, Carnegie Mellon University

Dan Plakosh—CERT/CC, Software Engineering Institute, Carnegie Mellon University

CO-CHAIRS OF THE CTERSC MINITRACK

Guido Schryen—RWTH Aachen University

Jose J. Gonzalez—Agder University College

Eliot H. Rich—University at Albany, State University of New York

PROGRAM COMMITTEE MEMBERS

Yue Chen—University of Southern California

Carol Woody—CERT, Software Engineering Institute, Carnegie Mellon University

John Steven—Cigital

Fred Long—University of Wales, Aberystwyth

David Riley—University of Wisconsin - La Crosse

David Spooner—Rensselaer Polytechnic Institute

Julia Allen—Software Engineering Institute, Carnegie Mellon University

Kenneth Van Wyk—KRvW Associates, LLC

Felix Freiling—University of Mannheim

Jose J. Gonzalez—Agder University College