<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";
        color:black;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";
        color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";
        color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";
        color:black;}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:"Consolas","serif";
        color:black;}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";
        color:black;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:40832465;
        mso-list-template-ids:1447045898;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks Rex,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Great presentation and I&#8217;m convinced.&nbsp; I approve.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>--Jeff<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> Rex Booth [mailto:rex.booth@owasp.org] <br><b>Sent:</b> Thursday, August 18, 2011 8:17 PM<br><b>To:</b> Eoin<br><b>Cc:</b> Jeff Williams; Rex Booth; Global_industry_committee; OWASP Foundation Board List; Michael Coates; committees-chairs@lists.owasp.org; Dave Wichers; Tom Brennan; Sebastien Deleersnyder<br><b>Subject:</b> Re: [Global_industry_committee] [Owasp-board] Industry Survey<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>Eoin and Jeff - good questions and fair concerns.&nbsp; Let me briefly address them.<br><br>Eoin - I understand your concern about GT riding the OWASP wave.&nbsp; A couple points to hopefully assuage:<o:p></o:p></p><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1'>I'm the primary point of contact within GT.&nbsp; Yes, of course, I recognize the value of being associated with OWASP, but in my 5+ years in the org, I've only acted in ways that respect the mission and culture.&nbsp; I will ensure that my firm does not violate our values.<o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1'>The draft MOU is very clear about what GT's role will be in the survey.&nbsp; Our participation outside of the MOU will be limited to individuals conducting surveys on behalf of OWASP - just as will dozens of others from various firms across the globe.&nbsp; <o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1'>Other than sponsorship of the survey (earned through hundreds of support hours related to survey execution, analysis and production), the advantage we receive from this activity will be available to all other OWASP participants - face time with CISOs - but it will be strictly controlled.&nbsp; I intend to host an &quot;interview training session&quot; for all interviewers (GT and non-GT) to explain how we should conduct ourselves.<o:p></o:p></li></ol><p class=MsoNormal><br>Jeff - regarding the goals and output.&nbsp; I've attached a slide deck that provides an overview of our intent and approach.&nbsp; This may answer some of your questions.<br><br>In addition, I should note that GT has extensive experience developing and executing meaningful, professional surveys for various organizations, including AGA and TechAmerica.&nbsp; We know how to do this and do it well.&nbsp; I'm happy to host a conference call between OWASP and our primary survey manager if anybody is interested.<br><br>Please let me know if I can address any other questions.<br><br>Thanks,<br>Rex<br><br>On 8/18/2011 6:16 PM, Eoin wrote: <o:p></o:p></p><div><p class=MsoNormal>The longest email if have written in a while......&nbsp;<o:p></o:p></p></div><div><p class=MsoNormal>Jeff we talked about this over a year ago and you still maintain the same point, I respect that.<o:p></o:p></p></div><div><p class=MsoNormal>The survey in mind shall address the views of industry such that owasp can listen. The survey is not about what owasp want but what the respondents want.&nbsp;<br>It's a good start and Rex has taken and ran with this. Only concern for me is GT riding the owasp wave, as this survey is for owasp to use in order to find focus and direction, core aspect of industry focus is to act on indicate concerns.<o:p></o:p></p></div><div><p class=MsoNormal>I believe the first draft of the survey needs to be reviewed to help ensure it is asking the right questions as the answers are easy, asking the right questions are hard. I don't believe GT should have control over the questions being asked for example.&nbsp;<o:p></o:p></p></div><div><p class=MsoNormal>Can we agree to pit a little time aside to review the first draft of the survey such that the majority is happy with the level, direction, intended audience, amount of questions, coverage etc.<o:p></o:p></p></div><div><p class=MsoNormal><o:p>&nbsp;</o:p></p></div><div><p class=MsoNormal>Eoin<o:p></o:p></p></div><div><div><p class=MsoNormal>&nbsp;<o:p></o:p></p></div></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><br>On 18 Aug 2011, at 22:15, &quot;Jeff Williams&quot; &lt;<a href="mailto:jeff.williams@owasp.org">jeff.williams@owasp.org</a>&gt; wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Tom,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I like the idea of doing a survey and I think collaborating with a firm like GT is a good idea.&nbsp; We&#8217;ve discussed the idea for years and I&#8217;ve raised the same questions every time.&nbsp; I question whether we have the capability to produce a good survey instrument.&nbsp; Survey design is considerably more difficult than writing down a few questions.&nbsp; It&#8217;s a scientific experiment and it need careful design.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>For this, I&#8217;d like to understand&#8230;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoListParagraph style='text-indent:-.25in'><span style='font-size:11.0pt;font-family:Symbol;color:#1F497D'>&middot;</span><span style='font-size:7.0pt;color:#1F497D'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>What are the specific goals of the survey?</span><o:p></o:p></p><p class=MsoListParagraph style='text-indent:-.25in'><span style='font-size:11.0pt;font-family:Symbol;color:#1F497D'>&middot;</span><span style='font-size:7.0pt;color:#1F497D'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>What exactly is it that OWASP is trying to find out?</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If OWASP is to be responsible for coming up with the questions, we need to follow some kind of process to derive survey questions that will specifically answer some interesting questions about our space.&nbsp;&nbsp; It&#8217;s hard to create questions that both achieve our goals and is not biased in any way.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Personally I think a survey could help answer specific questions around:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoListParagraph style='text-indent:-.25in'><span style='font-size:11.0pt;font-family:Symbol;color:#1F497D'>&middot;</span><span style='font-size:7.0pt;color:#1F497D'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Standards that OWASP could produce</span><o:p></o:p></p><p class=MsoListParagraph style='text-indent:-.25in'><span style='font-size:11.0pt;font-family:Symbol;color:#1F497D'>&middot;</span><span style='font-size:7.0pt;color:#1F497D'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>How appsec budgets are divided across training, secure coding, verification, mgmt.</span><o:p></o:p></p><p class=MsoListParagraph style='text-indent:-.25in'><span style='font-size:11.0pt;font-family:Symbol;color:#1F497D'>&middot;</span><span style='font-size:7.0pt;color:#1F497D'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Org structure around appsec roles</span><o:p></o:p></p><p class=MsoListParagraph style='text-indent:-.25in'><span style='font-size:11.0pt;font-family:Symbol;color:#1F497D'>&middot;</span><span style='font-size:7.0pt;color:#1F497D'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Metrics used to report appsec to management</span><o:p></o:p></p><p class=MsoListParagraph style='text-indent:-.25in'><span style='font-size:11.0pt;font-family:Symbol;color:#1F497D'>&middot;</span><span style='font-size:7.0pt;color:#1F497D'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Percentage of application portfolio regularly assessed in appsec verification program</span><o:p></o:p></p><p class=MsoListParagraph style='text-indent:-.25in'><span style='font-size:11.0pt;font-family:Symbol;color:#1F497D'>&middot;</span><span style='font-size:7.0pt;color:#1F497D'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Percentage of Internal apps vs. external apps covered</span><o:p></o:p></p><p class=MsoListParagraph style='text-indent:-.25in'><span style='font-size:11.0pt;font-family:Symbol;color:#1F497D'>&middot;</span><span style='font-size:7.0pt;color:#1F497D'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Use of standard application security controls</span><o:p></o:p></p><p class=MsoListParagraph style='text-indent:-.25in'><span style='font-size:11.0pt;font-family:Symbol;color:#1F497D'>&middot;</span><span style='font-size:7.0pt;color:#1F497D'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Which OWASP projects are most useful</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>But there&#8217;s a lot of work to change these topics into specific experiments embodied in one or more survey questions.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>--Jeff</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:owasp-board-bounces@lists.owasp.org">owasp-board-bounces@lists.owasp.org</a> [<a href="mailto:owasp-board-bounces@lists.owasp.org">mailto:owasp-board-bounces@lists.owasp.org</a>] <b>On Behalf Of </b>Tom Brennan<br><b>Sent:</b> Thursday, August 18, 2011 12:06 PM<br><b>To:</b> OWASP Foundation Board List<br><b>Cc:</b> Rex Booth; Michael Coates; Global_industry_committee; Rex Booth; <a href="mailto:committees-chairs@lists.owasp.org">committees-chairs@lists.owasp.org</a><br><b>Subject:</b> [Owasp-board] Industry Survey</span><o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Board,<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>After several months of discussions across global committees the attached has been submitted by Grant Thorton to conduct a collaborative industry study. &nbsp;&nbsp;The agreement is attached for review and approval including citing reference for end result.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Please read and vote on your decision to support this effort in producing a collaboration document. &nbsp;I suspect that we will likely see more of these types of agreements between business and OWASP to set a understanding as part of the growing ecosystem that wants to understand<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>After discussions with multiple parties since AppSecEU I support this and vote to approve this &quot;project&quot; effort.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Please review and vote YES/NO/ABSTAIN prior to the September Board meeting at AppSecUSA<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif"'>&nbsp;</span><o:p></o:p></p></div></blockquote></div></div></div></blockquote><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>_______________________________________________<br>Global_industry_committee mailing list<br><a href="mailto:Global_industry_committee@lists.owasp.org">Global_industry_committee@lists.owasp.org</a><br><a href="https://lists.owasp.org/mailman/listinfo/global_industry_committee">https://lists.owasp.org/mailman/listinfo/global_industry_committee</a><o:p></o:p></p></div></blockquote><p class=MsoNormal><br><br><br><o:p></o:p></p><pre>_______________________________________________<o:p></o:p></pre><pre>Global_industry_committee mailing list<o:p></o:p></pre><pre><a href="mailto:Global_industry_committee@lists.owasp.org">Global_industry_committee@lists.owasp.org</a><o:p></o:p></pre><pre><a href="https://lists.owasp.org/mailman/listinfo/global_industry_committee">https://lists.owasp.org/mailman/listinfo/global_industry_committee</a><o:p></o:p></pre><p class=MsoNormal><o:p>&nbsp;</o:p></p></div></body></html>