[Global_industry_committee] [Owasp-board] Industry Survey

Rex Booth rex.booth at owasp.org
Mon Aug 22 23:20:12 EDT 2011

Thanks Jeff.

Board - what say the rest of you?  I believe Eoin and Tom are on board.  
Dave, Seba, Michael?  I'd like to get this signed between all parties 
ASAP so we can aim for a kickoff at Appsec USA.


On 8/18/2011 10:36 PM, Jeff Williams wrote:
> Thanks Rex,
> Great presentation and I'm convinced.  I approve.
> --Jeff
> *From:*Rex Booth [mailto:rex.booth at owasp.org]
> *Sent:* Thursday, August 18, 2011 8:17 PM
> *To:* Eoin
> *Cc:* Jeff Williams; Rex Booth; Global_industry_committee; OWASP 
> Foundation Board List; Michael Coates; 
> committees-chairs at lists.owasp.org; Dave Wichers; Tom Brennan; 
> Sebastien Deleersnyder
> *Subject:* Re: [Global_industry_committee] [Owasp-board] Industry Survey
> Eoin and Jeff - good questions and fair concerns.  Let me briefly 
> address them.
> Eoin - I understand your concern about GT riding the OWASP wave.  A 
> couple points to hopefully assuage:
>  1. I'm the primary point of contact within GT.  Yes, of course, I
>     recognize the value of being associated with OWASP, but in my 5+
>     years in the org, I've only acted in ways that respect the mission
>     and culture.  I will ensure that my firm does not violate our values.
>  2. The draft MOU is very clear about what GT's role will be in the
>     survey.  Our participation outside of the MOU will be limited to
>     individuals conducting surveys on behalf of OWASP - just as will
>     dozens of others from various firms across the globe.
>  3. Other than sponsorship of the survey (earned through hundreds of
>     support hours related to survey execution, analysis and
>     production), the advantage we receive from this activity will be
>     available to all other OWASP participants - face time with CISOs -
>     but it will be strictly controlled.  I intend to host an
>     "interview training session" for all interviewers (GT and non-GT)
>     to explain how we should conduct ourselves.
> Jeff - regarding the goals and output.  I've attached a slide deck 
> that provides an overview of our intent and approach.  This may answer 
> some of your questions.
> In addition, I should note that GT has extensive experience developing 
> and executing meaningful, professional surveys for various 
> organizations, including AGA and TechAmerica.  We know how to do this 
> and do it well.  I'm happy to host a conference call between OWASP and 
> our primary survey manager if anybody is interested.
> Please let me know if I can address any other questions.
> Thanks,
> Rex
> On 8/18/2011 6:16 PM, Eoin wrote:
> The longest email if have written in a while......
> Jeff we talked about this over a year ago and you still maintain the 
> same point, I respect that.
> The survey in mind shall address the views of industry such that owasp 
> can listen. The survey is not about what owasp want but what the 
> respondents want.
> It's a good start and Rex has taken and ran with this. Only concern 
> for me is GT riding the owasp wave, as this survey is for owasp to use 
> in order to find focus and direction, core aspect of industry focus is 
> to act on indicate concerns.
> I believe the first draft of the survey needs to be reviewed to help 
> ensure it is asking the right questions as the answers are easy, 
> asking the right questions are hard. I don't believe GT should have 
> control over the questions being asked for example.
> Can we agree to pit a little time aside to review the first draft of 
> the survey such that the majority is happy with the level, direction, 
> intended audience, amount of questions, coverage etc.
> Eoin
> On 18 Aug 2011, at 22:15, "Jeff Williams" <jeff.williams at owasp.org 
> <mailto:jeff.williams at owasp.org>> wrote:
>     Tom,
>     I like the idea of doing a survey and I think collaborating with a
>     firm like GT is a good idea.  We've discussed the idea for years
>     and I've raised the same questions every time.  I question whether
>     we have the capability to produce a good survey instrument. 
>     Survey design is considerably more difficult than writing down a
>     few questions.  It's a scientific experiment and it need careful
>     design.
>     For this, I'd like to understand...
>     ·What are the specific goals of the survey?
>     ·What exactly is it that OWASP is trying to find out?
>     If OWASP is to be responsible for coming up with the questions, we
>     need to follow some kind of process to derive survey questions
>     that will specifically answer some interesting questions about our
>     space.   It's hard to create questions that both achieve our goals
>     and is not biased in any way.
>     Personally I think a survey could help answer specific questions
>     around:
>     ·Standards that OWASP could produce
>     ·How appsec budgets are divided across training, secure coding,
>     verification, mgmt.
>     ·Org structure around appsec roles
>     ·Metrics used to report appsec to management
>     ·Percentage of application portfolio regularly assessed in appsec
>     verification program
>     ·Percentage of Internal apps vs. external apps covered
>     ·Use of standard application security controls
>     ·Which OWASP projects are most useful
>     But there's a lot of work to change these topics into specific
>     experiments embodied in one or more survey questions.
>     --Jeff
>     *From:*owasp-board-bounces at lists.owasp.org
>     <mailto:owasp-board-bounces at lists.owasp.org>
>     [mailto:owasp-board-bounces at lists.owasp.org] *On Behalf Of *Tom
>     Brennan
>     *Sent:* Thursday, August 18, 2011 12:06 PM
>     *To:* OWASP Foundation Board List
>     *Cc:* Rex Booth; Michael Coates; Global_industry_committee; Rex
>     Booth; committees-chairs at lists.owasp.org
>     <mailto:committees-chairs at lists.owasp.org>
>     *Subject:* [Owasp-board] Industry Survey
>     Board,
>     After several months of discussions across global committees the
>     attached has been submitted by Grant Thorton to conduct a
>     collaborative industry study.   The agreement is attached for
>     review and approval including citing reference for end result.
>     Please read and vote on your decision to support this effort in
>     producing a collaboration document.  I suspect that we will likely
>     see more of these types of agreements between business and OWASP
>     to set a understanding as part of the growing ecosystem that wants
>     to understand
>     After discussions with multiple parties since AppSecEU I support
>     this and vote to approve this "project" effort.
>     Please review and vote YES/NO/ABSTAIN prior to the September Board
>     meeting at AppSecUSA
>     _______________________________________________
>     Global_industry_committee mailing list
>     Global_industry_committee at lists.owasp.org
>     <mailto:Global_industry_committee at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/global_industry_committee
> _______________________________________________
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org  <mailto:Global_industry_committee at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/global_industry_committee

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_industry_committee/attachments/20110822/6717e916/attachment-0001.html 

More information about the Global_industry_committee mailing list