[Global_industry_committee] anyone care to review this "OWASP Survey" document/template

Colin Watson colin.watson at owasp.org
Wed Jan 5 10:12:17 EST 2011


Some thoughts/queries below.  No need to reply to any of this... just
make up your own mind!


1)  If ISC2 are not yet on board, perhaps their log should be removed for now?

2)  Maybe move the anonymity stuff to the "Introduction", instead of
in "Instructions", and reiterate it at the start of  the "participant
information" section?

3)  Is it necessary to provide definitions of some of the terms used,
to improve the submitted data quality?  For example, "application
security" is used, but so is "web application" - is a mobile
application a web application?  How about SaaS?  A recent BS uses "web
product" which I quite like.

Survey - Investments and challenges

4)  In Q1 maybe add the "go to..." like in Q10

5)  In Q2, the second and third answers have the same title (but
different examples) - can they be renamed?

6)  In Q2, would application intrusion detection fall within "dynamic
analysis", or could it be a new option?

7)  In Q2 the use of the phrase "my organization" isn't consistent
with the other options.

8)  In Q2, maybe just truncate after "COTS" since "software" is
already understood?

Relevance of OWASP

9)  It would have been 15 questions, if the numbering didn't restart
here... so 17 questions.

10) In Q1 of this section, drop "OWASP" from "Top 10" and delete trailing hyphen

11) In Q1, perhaps order these alphabetically, and/or group by

12) Other projects? O2(!), AppSensor, ...?

13) In Q2 lower case "m" in "Material"

14) In Q3 would "Justifying business case" be worth adding?

Threats and risks

15) In Q4 can we differentiate between internal & external like this?
There seems to be two questons here.. one relating to fraud and one to
attacks, and then for each by whom.  The "whom" could be trusted and
untrusted/unknown/third-party users rather than internal/external?

16) Is Q6 too similar to Q1... or should we explain here the difference?

Tools and technology

17) The use of "application risk management process" doesn't sound
quite right to me when looking at the "tools" in Q7a.  I don't see a
risk assessment tool for example.  Would "application security
processes" be better?

18) In Q7a should the "i.e." be "e.g." in four places?

19) In Q9, maybe add "Application configuration reviews", "???
compliance audits/reviews", and remove "e.g. penetration testing" from
the intro.

Governance and control

20) I know this is a draft, but some answers need to have radio
buttons and some check boxes... Q10 needs both.

21) In Q10 it mentions Q23....but means Q10a (currently)

22) In Q13 ISF is "INFORMATION Security Forum"

23) In Q13 at "BSI MM", "CLASP" and "MS SDL"

24) In Q14 is "No assessments performed" needed - all unselected means
the same.  If keft, move to last?

25) In Q15 could we change "ensure" to "verify", or if "ensure" is
meant, add things like "Security requirements defined in
specifications", "Procurement due diligence", "Security obligations
defined in contracts", etc

26) Move "Thank you for your participation" to after "Participant information".

Participant information

27) Not for profits can have (huge) turnovers so delete the text in
parentheses in "annual revenue"

28) In "Industry", where has this list come from?  For example
"Provider care" seems quite odd, and there is "Private Equity" as well
as "Banking & capital markets".  Do D&B have a better list, or could
we ask for SIC?

29)  Do we want to weed out security consultants and security vendors
from the responses somehow?  i.e. "users" rather than "dealers".


30) And as a final check, have a read of these two views on surveys:

    19 Lessons from United Airlines on How To Build A Crappy Survey

    The Use and Misuse of Surveys


On 4 January 2011 16:53, Eoin <eoin.keary at owasp.org> wrote:
> David and myself put this together.
> Would appreciate your views on the questions and also the type of data the
> questions will yield.
> Was to be done with ISC2 partnership but not sure about this.
> I believe an e-survey would suit best, such this is a template.
> This should be driven by the industry committee in terms of delivery but
> needs some board approval, stringent review and overall agrrment on the
> objective and content.
> thoughts?
> Happy to discuss at summit.
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
> Sent from my i-Transmogrifier
> http://asg.ie/
> https://twitter.com/EoinKeary
> _______________________________________________
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_industry_committee

More information about the Global_industry_committee mailing list