Betsy Nichols has joined the Common Assumance Metric group within the European Network and Information Security Agency.  The initial meeting was held in Barcelona on 15 March 2010 in conjunction with the Secure Cloud 2010 Conference sponsored by ENISA, CSA, IEEE, and ISACA.  The initiative seems to have the support of the major vendors (such as Microsoft, eBay, Google, Amazon Web Services) as well as other security groups (such as ISF, ISSA, and Jericho Forum).  The plan is to build on existing efforts such as Shared Assessments, CloudAudit, FTC, and NIST.  There are high expectations that something relevant, open, transparent and practical will be delievered within the next year.

In addition to providing a liason with the CSA Metrics Working Group, Betsy will be contributing in the area of models that compose and weight low level metrics to provide higher level assurance ratings for cloud based services. 

The Cloud Security Alliance has adopted MetricsCenter as its platform for defining cloud security metrics.  The group will use the platform for collaboration, commenting, rating and revision control as they work to identify cloud-specific metrics that enhance and support existing CSA guidance.  Once defined, the metric definitions will be available as XML documents using PlexLogic's Metrics XML schema.  The MetricsCenter platform supports complete and unambiguous specifications that will be consumable by both producers and consumers of cloud services for implementation and deployment.

The Cloud Security Alliance has announced the formation of a Metrics Working Group.  Founded by Lynn Terwoerds of SafeMashUps, Caroline Wong of eBay, Tara Darbyshire of EMC/Archer, and Betsy Nichols of PlexLogic, the group will be defining concrete metrics that are designed to enhance and support current CSA guidance as provided here.  The working group will publish its metrics in an open format which allows for comment, revision history, and eventually consumption by the entire CSA (and potentially other) community.  The first three CSA Domains to be addressed are:  Encryption and Key Management, Governance and Enterprise Risk Management, and Application Security.

The MetricsCenter.net Release 2.0 is now open for business.  MetricsCenter.net is the industry's first on-demand metrics service.   MetricsCenter.net is a private service designed to complement the open and free services offered by MetricsCenter.org. Major new features include:

• Catalog enhancements to support the definition of dimensions, datasets and comments that are linked with eachother as well as with metrics and contexts.
• Catalog enhancements that support sharing of both definitions and opinions
• Additional public dashboards that look at topics such as the affect of breaches on a public company's stock price
• Enhanced dashboard annotation with context sensitive help available for each displayed widget

The MetricsCenter.org web site is currently under construction to incorporate some of the new features of Release 2.0.  In the meantime, the MetricsCenter.net site has lots of new content that can be accessed without a login account.

Betsy Nichols was featured in the SC Magazine Nov 2009 20th Anniversary issue in an article entitled "Market Entrepreneurs - A handful of folks whose technical savvy, inventive spirit and business acumen helped to enliven the IT security industry".  Her contributions were highlighted along with several others' including Jay Chaudhry, Eva Chen, Maria Cirino, Jon Darbyshire, Ron Gula, Gil Shwed, and Peter Norton.  You can read the entire article here.

Betsy Nichols will present with Sammy Migues, Principal Analysit at Cigital at the RSA 2010 USA Conference in San Francisco, CA during the first week of March.  The title of the presentation is "Mathematical Profile of a Winner - BSIMM Data Analyzed".  A year after its announcement by Cigital and Fortify, the BSIMM Project has collected a highly qualified, statistically significant data set.  The RSA presentation will provide a rigorous mathematical analysis of results.  What is the profile of a winning secure software development program?  Is there just one or several paths to a mature SDLC?  What is the correlation between effective practices or activities within practices?  What are the benefits of sharing results within a trusted community?  These questions and more will be explored.  You can read more about BSIMM here and the BSIMM Begin Project here.