[Global_industry_committee] CISO survey 2013 questions - your feedback please

Tobias tobias.gondrom at owasp.org
Thu Nov 8 03:01:20 UTC 2012

Thank you. Made the edits of the survey accordingly.
See comments inline.

On 22/10/12 12:22, Colin Watson wrote:
> Tobias
> 1. I do not like the abbreviation GASS (hot air?), or worse if we drop
> the 'Global"
removed GASS.

> 2. On Page 3, do we need to be more specific - is it "IS threats" we
> are talking about?  So p3 heading might be "IS Threats and Risks" and
> p4 might be "Application Threats and Risks". Do we need to define
> "application"?
changed accordingly.
And no need to define "application".
> 3. On p5, is it worth asking split application/infrastructure/other to
> compare with the threat/risk values?
> 4. On p7, "AntiSammy" should not have double "m", ZAP needs to be
> moved down a few lines in the alphabetical ordering
> 5. Do pp10-11 sufficiently cover all the measures "we" recommend
> through the SDLC e.g. security requirements, training, threat
> modelling, guidelines, tested modules/frameworks, etc, etc? Actually I
> agree with Tobias's comment, I am not sure the existing questions add
> much value, and we're not attempting to do a SAMM/BSIMM survey either.
regarding page 10: is about tools, so SDLC, threat modeling would not be 
appropriate here as it is not a technology but a process. But we could 
add a page on the models to be used

and based on your (and Marco's) feedback actually replaced page 11 with 
something more CISO relevant.

> 6. On p14 I think "OWASP SAMM" would more correctly be written "Open SAMM"


Thanks a lot for your feedback!


> Colin
> On 20 October 2012 16:55, Tobias <tobias.gondrom at owasp.org> wrote:
>> Hello dear GIC fellows,
>> as discussed during our GIC call this week, I took the CISO Survey from last
>> year and revised it a little bit.
>> https://www.owasp.org/index.php/Industry:GIC_CISO_Survey_2013
>> Please take a good look and review and/or make modifications until Tuesday
>> Oct-23.
>> It is in the Wiki, so you can edit easily. I will try to put whatever we
>> have by then into a surveymonkey the following day, so we can use the
>> AppSecUS to already hand-out a first set of links to the survey.
>> Maybe a couple of questions as food for thought:
>> - the survey feels relatively long? Are there questions we should remove?
>> - Are there questions we missed / should add?
>> - regarding page-10 question 13 and 14: Is it really important for us (and
>> later the report readers) which tool categories are used or being planned to
>> be used? I have the feeling that some may use none and some may use all, so
>> am not sure these two questions really add significant value. What do you
>> think?
>> Best regards and wish you a nice weekend, Tobias
> _______________________________________________
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_industry_committee

More information about the Global_industry_committee mailing list