[Global_industry_committee] CISO survey 2013 questions - your feedback please

Colin Watson colin.watson at owasp.org
Mon Oct 22 16:22:26 UTC 2012


Tobias

1. I do not like the abbreviation GASS (hot air?), or worse if we drop
the 'Global"

2. On Page 3, do we need to be more specific - is it "IS threats" we
are talking about?  So p3 heading might be "IS Threats and Risks" and
p4 might be "Application Threats and Risks". Do we need to define
"application"?

3. On p5, is it worth asking split application/infrastructure/other to
compare with the threat/risk values?

4. On p7, "AntiSammy" should not have double "m", ZAP needs to be
moved down a few lines in the alphabetical ordering

5. Do pp10-11 sufficiently cover all the measures "we" recommend
through the SDLC e.g. security requirements, training, threat
modelling, guidelines, tested modules/frameworks, etc, etc? Actually I
agree with Tobias's comment, I am not sure the existing questions add
much value, and we're not attempting to do a SAMM/BSIMM survey either.

6. On p14 I think "OWASP SAMM" would more correctly be written "Open SAMM"

Colin

On 20 October 2012 16:55, Tobias <tobias.gondrom at owasp.org> wrote:
> Hello dear GIC fellows,
>
> as discussed during our GIC call this week, I took the CISO Survey from last
> year and revised it a little bit.
> https://www.owasp.org/index.php/Industry:GIC_CISO_Survey_2013
>
> Please take a good look and review and/or make modifications until Tuesday
> Oct-23.
> It is in the Wiki, so you can edit easily. I will try to put whatever we
> have by then into a surveymonkey the following day, so we can use the
> AppSecUS to already hand-out a first set of links to the survey.
>
> Maybe a couple of questions as food for thought:
> - the survey feels relatively long? Are there questions we should remove?
> - Are there questions we missed / should add?
> - regarding page-10 question 13 and 14: Is it really important for us (and
> later the report readers) which tool categories are used or being planned to
> be used? I have the feeling that some may use none and some may use all, so
> am not sure these two questions really add significant value. What do you
> think?
>
> Best regards and wish you a nice weekend, Tobias
>


More information about the Global_industry_committee mailing list