[Global_industry_committee] anyone care to review this "OWASP Survey" document/template

Eoin eoin.keary at owasp.org
Wed Jan 5 06:08:29 EST 2011

to answer your question in more detail...... (hope this helps)

The survey is designed to address a small number of key aspects in relation
to the industry view of application security and OWASP.
Section 1: Investments and Challenges - Is Appsec relevant

   - used to draw out how high the radar application security is to the
   - the reasons for this areas of security for being high
   - How application security fits in with other information security
   demands, what would its priority be.

Section 2: Relevance of OWASP - Are we using our "Brand" properly

   - Which OWASP output is used by the participant or his/her
   organisation....what projects are actually useful to industry
   - How relevant is OWASP to the organisation
   - Are OWASP materials referenced/drawn upon by the organisation....are we
   a household name?
   - What are the challenges in delivering application security for the
   org...this has an effect on OWASP growth.

 Section 3: Threats and Risks - Perception

   - Do they see more web application security risks and threats, are they
   on the increase
   - What are the root causes of these attacks/incidents?
   - Shall an organisation be spending more on application security as a

Section 4: Tools and Technology - Operational

   - What tools does the organisation currently use? - are they opting for
   firewalls instead of secure code etc?
   - Is the organisation planning to invest in more tools and if so which
   ones? - runtime or static or ??
   - do they do security testing if so by who and on what layer?

Section 5; Governance and control - Strategic

   - Do they include application security in their process and guideline and
   - Do they think there is more to do in this area, do they feel weak?
   - What application frameworks if any do they use - we can gauge maturity
   using this?
   - How is application security effectiveness measured - Metrics,
   Subjective, case by case?
   - Third party risk - we can outsource the service but not the risk. How
   are they managing this? COTS software, Software food chain, Outsourced
   development, component reuse etc.

On 4 January 2011 20:55, Jeff Williams <jeff.williams at owasp.org> wrote:

>  Eoin,
> Can you forward the specific survey objectives?  I don’t have a good idea
> of the outcomes that you expect, and so I can’t evaluate whether these are
> the right questions.
> The kinds of questions a survey author should create are based on two
> things: the objectives of the survey and the information to be collected.
> Know kinds of information needed then turn those research objectives into a
> set of “information requirements.” From here, one can create questions that
> will produce that information (Brace 2004, 11-12). An accurate survey is one
> where the questions collect the data in a reliable and valid way.
> http://s3.amazonaws.com/SurveyMonkeyFiles/SmartSurvey.pdf
> --Jeff
> *From:* eoinkeary at gmail.com [mailto:eoinkeary at gmail.com] *On Behalf Of *
> Eoin
> *Sent:* Tuesday, January 04, 2011 11:53 AM
> *To:* Global_industry_committee
> *Cc:* David Campbell; Tom Brennan; Seba; Jeff Williams; Dave Wichers; Matt
> Tesauro; dinis cruz
> *Subject:* anyone care to review this "OWASP Survey" document/template
> David and myself put this together.
> Would appreciate your views on the questions and also the type of data the
> questions will yield.
> Was to be done with ISC2 partnership but not sure about this.
> I believe an e-survey would suit best, such this is a template.
> This should be driven by the industry committee in terms of delivery but
> needs some board approval, stringent review and overall agrrment on the
> objective and content.
> thoughts?
> Happy to discuss at summit.
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
> Sent from my i-Transmogrifier
> http://asg.ie/
> https://twitter.com/EoinKeary

Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_industry_committee/attachments/20110105/d4a19284/attachment.html 

More information about the Global_industry_committee mailing list