[Global_industry_committee] anyone care to review this "OWASP Survey" document/template
eoin.keary at owasp.org
Wed Jan 5 06:08:29 EST 2011
to answer your question in more detail...... (hope this helps)
The survey is designed to address a small number of key aspects in relation
to the industry view of application security and OWASP.
Section 1: Investments and Challenges - Is Appsec relevant
- used to draw out how high the radar application security is to the
- the reasons for this areas of security for being high
- How application security fits in with other information security
demands, what would its priority be.
Section 2: Relevance of OWASP - Are we using our "Brand" properly
- Which OWASP output is used by the participant or his/her
organisation....what projects are actually useful to industry
- How relevant is OWASP to the organisation
- Are OWASP materials referenced/drawn upon by the organisation....are we
a household name?
- What are the challenges in delivering application security for the
org...this has an effect on OWASP growth.
Section 3: Threats and Risks - Perception
- Do they see more web application security risks and threats, are they
on the increase
- What are the root causes of these attacks/incidents?
- Shall an organisation be spending more on application security as a
Section 4: Tools and Technology - Operational
- What tools does the organisation currently use? - are they opting for
firewalls instead of secure code etc?
- Is the organisation planning to invest in more tools and if so which
ones? - runtime or static or ??
- do they do security testing if so by who and on what layer?
Section 5; Governance and control - Strategic
- Do they include application security in their process and guideline and
- Do they think there is more to do in this area, do they feel weak?
- What application frameworks if any do they use - we can gauge maturity
- How is application security effectiveness measured - Metrics,
Subjective, case by case?
- Third party risk - we can outsource the service but not the risk. How
are they managing this? COTS software, Software food chain, Outsourced
development, component reuse etc.
On 4 January 2011 20:55, Jeff Williams <jeff.williams at owasp.org> wrote:
> Can you forward the specific survey objectives? I don’t have a good idea
> of the outcomes that you expect, and so I can’t evaluate whether these are
> the right questions.
> The kinds of questions a survey author should create are based on two
> things: the objectives of the survey and the information to be collected.
> Know kinds of information needed then turn those research objectives into a
> set of “information requirements.” From here, one can create questions that
> will produce that information (Brace 2004, 11-12). An accurate survey is one
> where the questions collect the data in a reliable and valid way.
> *From:* eoinkeary at gmail.com [mailto:eoinkeary at gmail.com] *On Behalf Of *
> *Sent:* Tuesday, January 04, 2011 11:53 AM
> *To:* Global_industry_committee
> *Cc:* David Campbell; Tom Brennan; Seba; Jeff Williams; Dave Wichers; Matt
> Tesauro; dinis cruz
> *Subject:* anyone care to review this "OWASP Survey" document/template
> David and myself put this together.
> Would appreciate your views on the questions and also the type of data the
> questions will yield.
> Was to be done with ISC2 partnership but not sure about this.
> I believe an e-survey would suit best, such this is a template.
> This should be driven by the industry committee in terms of delivery but
> needs some board approval, stringent review and overall agrrment on the
> objective and content.
> Happy to discuss at summit.
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
> Sent from my i-Transmogrifier
OWASP Global Board Member
OWASP Code Review Guide Lead Author
Sent from my i-Transmogrifier
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Global_industry_committee