[Global_industry_committee] [Owasp-board] Industry Survey
rex.booth at owasp.org
Mon Aug 22 23:20:12 EDT 2011
Board - what say the rest of you? I believe Eoin and Tom are on board.
Dave, Seba, Michael? I'd like to get this signed between all parties
ASAP so we can aim for a kickoff at Appsec USA.
On 8/18/2011 10:36 PM, Jeff Williams wrote:
> Thanks Rex,
> Great presentation and I'm convinced. I approve.
> *From:*Rex Booth [mailto:rex.booth at owasp.org]
> *Sent:* Thursday, August 18, 2011 8:17 PM
> *To:* Eoin
> *Cc:* Jeff Williams; Rex Booth; Global_industry_committee; OWASP
> Foundation Board List; Michael Coates;
> committees-chairs at lists.owasp.org; Dave Wichers; Tom Brennan;
> Sebastien Deleersnyder
> *Subject:* Re: [Global_industry_committee] [Owasp-board] Industry Survey
> Eoin and Jeff - good questions and fair concerns. Let me briefly
> address them.
> Eoin - I understand your concern about GT riding the OWASP wave. A
> couple points to hopefully assuage:
> 1. I'm the primary point of contact within GT. Yes, of course, I
> recognize the value of being associated with OWASP, but in my 5+
> years in the org, I've only acted in ways that respect the mission
> and culture. I will ensure that my firm does not violate our values.
> 2. The draft MOU is very clear about what GT's role will be in the
> survey. Our participation outside of the MOU will be limited to
> individuals conducting surveys on behalf of OWASP - just as will
> dozens of others from various firms across the globe.
> 3. Other than sponsorship of the survey (earned through hundreds of
> support hours related to survey execution, analysis and
> production), the advantage we receive from this activity will be
> available to all other OWASP participants - face time with CISOs -
> but it will be strictly controlled. I intend to host an
> "interview training session" for all interviewers (GT and non-GT)
> to explain how we should conduct ourselves.
> Jeff - regarding the goals and output. I've attached a slide deck
> that provides an overview of our intent and approach. This may answer
> some of your questions.
> In addition, I should note that GT has extensive experience developing
> and executing meaningful, professional surveys for various
> organizations, including AGA and TechAmerica. We know how to do this
> and do it well. I'm happy to host a conference call between OWASP and
> our primary survey manager if anybody is interested.
> Please let me know if I can address any other questions.
> On 8/18/2011 6:16 PM, Eoin wrote:
> The longest email if have written in a while......
> Jeff we talked about this over a year ago and you still maintain the
> same point, I respect that.
> The survey in mind shall address the views of industry such that owasp
> can listen. The survey is not about what owasp want but what the
> respondents want.
> It's a good start and Rex has taken and ran with this. Only concern
> for me is GT riding the owasp wave, as this survey is for owasp to use
> in order to find focus and direction, core aspect of industry focus is
> to act on indicate concerns.
> I believe the first draft of the survey needs to be reviewed to help
> ensure it is asking the right questions as the answers are easy,
> asking the right questions are hard. I don't believe GT should have
> control over the questions being asked for example.
> Can we agree to pit a little time aside to review the first draft of
> the survey such that the majority is happy with the level, direction,
> intended audience, amount of questions, coverage etc.
> On 18 Aug 2011, at 22:15, "Jeff Williams" <jeff.williams at owasp.org
> <mailto:jeff.williams at owasp.org>> wrote:
> I like the idea of doing a survey and I think collaborating with a
> firm like GT is a good idea. We've discussed the idea for years
> and I've raised the same questions every time. I question whether
> we have the capability to produce a good survey instrument.
> Survey design is considerably more difficult than writing down a
> few questions. It's a scientific experiment and it need careful
> For this, I'd like to understand...
> ·What are the specific goals of the survey?
> ·What exactly is it that OWASP is trying to find out?
> If OWASP is to be responsible for coming up with the questions, we
> need to follow some kind of process to derive survey questions
> that will specifically answer some interesting questions about our
> space. It's hard to create questions that both achieve our goals
> and is not biased in any way.
> Personally I think a survey could help answer specific questions
> ·Standards that OWASP could produce
> ·How appsec budgets are divided across training, secure coding,
> verification, mgmt.
> ·Org structure around appsec roles
> ·Metrics used to report appsec to management
> ·Percentage of application portfolio regularly assessed in appsec
> verification program
> ·Percentage of Internal apps vs. external apps covered
> ·Use of standard application security controls
> ·Which OWASP projects are most useful
> But there's a lot of work to change these topics into specific
> experiments embodied in one or more survey questions.
> *From:*owasp-board-bounces at lists.owasp.org
> <mailto:owasp-board-bounces at lists.owasp.org>
> [mailto:owasp-board-bounces at lists.owasp.org] *On Behalf Of *Tom
> *Sent:* Thursday, August 18, 2011 12:06 PM
> *To:* OWASP Foundation Board List
> *Cc:* Rex Booth; Michael Coates; Global_industry_committee; Rex
> Booth; committees-chairs at lists.owasp.org
> <mailto:committees-chairs at lists.owasp.org>
> *Subject:* [Owasp-board] Industry Survey
> After several months of discussions across global committees the
> attached has been submitted by Grant Thorton to conduct a
> collaborative industry study. The agreement is attached for
> review and approval including citing reference for end result.
> Please read and vote on your decision to support this effort in
> producing a collaboration document. I suspect that we will likely
> see more of these types of agreements between business and OWASP
> to set a understanding as part of the growing ecosystem that wants
> to understand
> After discussions with multiple parties since AppSecEU I support
> this and vote to approve this "project" effort.
> Please review and vote YES/NO/ABSTAIN prior to the September Board
> meeting at AppSecUSA
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
> <mailto:Global_industry_committee at lists.owasp.org>
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org <mailto:Global_industry_committee at lists.owasp.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Global_industry_committee