[Global_industry_committee] anyone care to review this "OWASP Survey" document/template

Eoin eoin.keary at owasp.org
Wed Jan 5 10:48:54 EST 2011


Thanks Colin,
will action now. Great attention to detail!



On 5 January 2011 15:12, Colin Watson <colin.watson at owasp.org> wrote:

> Eoin
>
> Some thoughts/queries below.  No need to reply to any of this... just
> make up your own mind!
>
> General
> ------------
>
> 1)  If ISC2 are not yet on board, perhaps their log should be removed for
> now?
>
> 2)  Maybe move the anonymity stuff to the "Introduction", instead of
> in "Instructions", and reiterate it at the start of  the "participant
> information" section?
>
> 3)  Is it necessary to provide definitions of some of the terms used,
> to improve the submitted data quality?  For example, "application
> security" is used, but so is "web application" - is a mobile
> application a web application?  How about SaaS?  A recent BS uses "web
> product" which I quite like.
>
> Survey - Investments and challenges
> -----------------------------------------------------
>
> 4)  In Q1 maybe add the "go to..." like in Q10
>
> 5)  In Q2, the second and third answers have the same title (but
> different examples) - can they be renamed?
>
> 6)  In Q2, would application intrusion detection fall within "dynamic
> analysis", or could it be a new option?
>
> 7)  In Q2 the use of the phrase "my organization" isn't consistent
> with the other options.
>
> 8)  In Q2, maybe just truncate after "COTS" since "software" is
> already understood?
>
> Relevance of OWASP
> -------------------------------
>
> 9)  It would have been 15 questions, if the numbering didn't restart
> here... so 17 questions.
>
> 10) In Q1 of this section, drop "OWASP" from "Top 10" and delete trailing
> hyphen
>
> 11) In Q1, perhaps order these alphabetically, and/or group by
> tools/documents/other?
>
> 12) Other projects? O2(!), AppSensor, ...?
>
> 13) In Q2 lower case "m" in "Material"
>
> 14) In Q3 would "Justifying business case" be worth adding?
>
> Threats and risks
> -------------------------
>
> 15) In Q4 can we differentiate between internal & external like this?
> There seems to be two questons here.. one relating to fraud and one to
> attacks, and then for each by whom.  The "whom" could be trusted and
> untrusted/unknown/third-party users rather than internal/external?
>
> 16) Is Q6 too similar to Q1... or should we explain here the difference?
>
> Tools and technology
> -------------------------------
>
> 17) The use of "application risk management process" doesn't sound
> quite right to me when looking at the "tools" in Q7a.  I don't see a
> risk assessment tool for example.  Would "application security
> processes" be better?
>
> 18) In Q7a should the "i.e." be "e.g." in four places?
>
> 19) In Q9, maybe add "Application configuration reviews", "???
> compliance audits/reviews", and remove "e.g. penetration testing" from
> the intro.
>
> Governance and control
> ----------------------------------
>
> 20) I know this is a draft, but some answers need to have radio
> buttons and some check boxes... Q10 needs both.
>
> 21) In Q10 it mentions Q23....but means Q10a (currently)
>
> 22) In Q13 ISF is "INFORMATION Security Forum"
>
> 23) In Q13 at "BSI MM", "CLASP" and "MS SDL"
>
> 24) In Q14 is "No assessments performed" needed - all unselected means
> the same.  If keft, move to last?
>
> 25) In Q15 could we change "ensure" to "verify", or if "ensure" is
> meant, add things like "Security requirements defined in
> specifications", "Procurement due diligence", "Security obligations
> defined in contracts", etc
>
> 26) Move "Thank you for your participation" to after "Participant
> information".
>
> Participant information
> --------------------------------
>
> 27) Not for profits can have (huge) turnovers so delete the text in
> parentheses in "annual revenue"
>
> 28) In "Industry", where has this list come from?  For example
> "Provider care" seems quite odd, and there is "Private Equity" as well
> as "Banking & capital markets".  Do D&B have a better list, or could
> we ask for SIC?
>
> 29)  Do we want to weed out security consultants and security vendors
> from the responses somehow?  i.e. "users" rather than "dealers".
>
> Other
> --------
>
> 30) And as a final check, have a read of these two views on surveys:
>
>    19 Lessons from United Airlines on How To Build A Crappy Survey
>
> http://www.uie.com/brainsparks/2010/12/26/19-lessons-from-united-airlines-on-how-to-build-a-crappy-survey/
>
>    The Use and Misuse of Surveys
>    https://www.karlalbrecht.com/articles/smmisuse.shtml
>
> Colin
>
>
>
> On 4 January 2011 16:53, Eoin <eoin.keary at owasp.org> wrote:
> > David and myself put this together.
> >
> > Would appreciate your views on the questions and also the type of data
> the
> > questions will yield.
> > Was to be done with ISC2 partnership but not sure about this.
> >
> > I believe an e-survey would suit best, such this is a template.
> >
> > This should be driven by the industry committee in terms of delivery but
> > needs some board approval, stringent review and overall agrrment on the
> > objective and content.
> >
> > thoughts?
> > Happy to discuss at summit.
> >
> > --
> > Eoin Keary
> > OWASP Global Board Member
> > OWASP Code Review Guide Lead Author
> >
> > Sent from my i-Transmogrifier
> > http://asg.ie/
> > https://twitter.com/EoinKeary
> >
>  > _______________________________________________
> > Global_industry_committee mailing list
> > Global_industry_committee at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/global_industry_committee
> >
> >
>



-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_industry_committee/attachments/20110105/d707a2ca/attachment-0001.html 


More information about the Global_industry_committee mailing list