International Symposium on Engineering Secure Software and Systems  

February 03-04, 2010
Pisa, Italy

In cooperation with ACM SIGSAC and SIGSOFT, and IEEE CS (TCSE) - Pending


Trustworthy, secure software is a core ingredient of the modern world.
Unfortunately, the Internet is too. Hostile, networked environments,
like the Internet, can allow vulnerabilities in software to be
exploited from anywhere. To address this, high-quality security
building blocks (e.g., cryptographic components) are necessary, but
insufficient. Indeed, the construction of secure software is
challenging because of the complexity of modern applications, the
growing sophistication of security requirements, the multitude of
available software technologies and the progress of attack
vectors. Clearly, a strong need exists for engineering techniques that
scale well and that demonstrably improve the software's security


The goal of this symposium, which will be the second in the series, is
to bring together researchers and practitioners to advance the states
of the art and practice in secure software engineering. Being one of
the few conference-level events dedicated to this topic, it explicitly
aims to bridge the software engineering and security engineering
communities, and promote cross-fertilization. The symposium will
feature two days of technical program as well as one day of
tutorials. The technical program includes an experience track for
which the submission of highly informative case studies describing
(un)successful secure software project experiences and lessons learned
is explicitly encouraged.

The Symposium seeks submissions on subjects related to its goals. This
includes a diversity of topics including (but not limited to):
- scalable techniques for threat modeling and analysis of  
- specification and management of security requirements and policies
- security architecture and design for software and systems
- model checking for security
- specification formalisms for security artifacts
- verification techniques for security properties
- systematic support for security best practices
- security testing
- security assurance cases
- programming paradigms, models and DLS's for security
- program rewriting techniques
- processes for the development of secure software and systems
- security-oriented software reconfiguration and evolution
- security measurement
- automated development
- trade-off between security and other non-functional requirements
- support for assurance, certification and accreditation

The proceedings of the symposium are published by Springer-Verlag in
the Lecture Notes in Computer Science Series
(  Submissions should follow the
formatting instructions of the Springer LNCS Style.

Submitted papers must present original, non-published work of high
quality.  The PC will select the papers into three categories:

Full Papers (16 pages plus bibliography)- describe novel original
research which is validated by either formal results, experimental
analysis or significant case study validation. The critical bar for
acceptance in this category is novelty and validation.

Industrial Reports (12 pagesplus bibliography) - describe the
application of existing research techniques or analysis methods to an
industry level case studies. The research results might be already
published elsewhere, here you show that you have applied them to
something that is actually used in an industrial setting (eg a real
SAP product or a RedHat distribution).  A critical issue for
acceptance here is applicability to a large scale.

Idea papers (8 pages plus bibliography) - describe an interesting
novel idea whose formal or experimental validation is not at the level
of a full paper, but whose potential is promising. An idea paper
allows you to timestamp your research contribution while giving you
the chance to present fully validate result at later conferences.

Proposals for tutorials are highly welcome as well. Further guidelines
will appear on the website of the symposium.

Abstract submission: September 15, 2009
Paper submission: September 30, 2009
Author notification: November 15, 2009
Camera-ready: December 5, 2009
Tutorial submission: October 24, 2009
Tutorial notification: November 21, 2009

Jorge Cuellar (Siemens AG)
Wouter Joosen (Katholieke Universiteit Leuven) - chair
Fabio Massacci (Universita di Trento)
Gary McGraw (Cigital)
Bashar Nuseibeh (The Open University)
Daniel Wallach (Rice University University)

General chair: Fabio Martinelli (C.N.R., IT)
Program co-chairs:
  Fabio Massacci (Universita di Trento, IT) and
  Dan Wallach (Rice University, USA)
Publication chair: N. Zannone (Eindhoven Technical Univ., NL)
Publicity chair: Yves Younan (Katholieke Universiteit Leuven, BE)

Juergen Doser (IMDEA, ES)
Manuel Fahndrich (Microsoft Research, US)
Michael Franz (UC Irvine, US)
Dieter Gollmann (Hamburg University of Technology, DE)
Jan Jurjens (Open University, UK)
Seok-Won Lee (Univ. North Carolina Charlotte, US)
Antonio Mana (University of Malaga, ES)
Robert Martin (MITRE, USA)
Mattia Monga (Milan University, IT)
Fabio Massacci (Univ. of Trento) - Chair
Haris Mouratidis (Univ. of East London, UK)
Gunther Pernul (Universitat Regensburg, DE)
Samuel Redwine (James Madison University, USA)
David Sands (Chalmers Univ., SE)
Riccardo Scandariato (Katholieke Universiteit Leuven, BE)
Ketil Stolen (Sintef, NO)
Jon Whittle (Lancaster University, UK)
Mohammad Zulkernine (Queen's University, CA)
Neeraj Suri (Tech. Univ. Darmstadt, DE)
Yingjiu Li (Singapore Management Univ., SG)
Hao Chen (UC Davis, US)
Richard Clayton (Cambridge University, UK)
Eduardo Fernandez-Medina (University of Castilla-La Mancha, ES)
Yucel Karabulut (Office of CTO, SAP)
Vijay Varadharajan (Maquarie Univ, AU)
Jungfeng Yang (Columbia University, US)
Dan Wallach (Rice University) - Chair