[Owasp-board] [Global_industry_committee] Industry Survey

Dave Wichers dave.wichers at owasp.org
Sat Apr 10 01:44:56 UTC 2004

I approve.


From: Rex Booth [mailto:rex.booth at owasp.org] 
Sent: Monday, August 22, 2011 11:20 PM
To: Jeff Williams
Cc: 'Eoin'; 'Rex Booth'; 'Global_industry_committee'; 'OWASP Foundation
Board List'; 'Michael Coates'; committees-chairs at lists.owasp.org; 'Dave
Wichers'; 'Tom Brennan'; 'Sebastien Deleersnyder'
Subject: Re: [Global_industry_committee] [Owasp-board] Industry Survey


Thanks Jeff.

Board - what say the rest of you?  I believe Eoin and Tom are on board.
Dave, Seba, Michael?  I'd like to get this signed between all parties ASAP
so we can aim for a kickoff at Appsec USA.


On 8/18/2011 10:36 PM, Jeff Williams wrote: 

Thanks Rex,


Great presentation and I'm convinced.  I approve.




From: Rex Booth [mailto:rex.booth at owasp.org] 
Sent: Thursday, August 18, 2011 8:17 PM
To: Eoin
Cc: Jeff Williams; Rex Booth; Global_industry_committee; OWASP Foundation
Board List; Michael Coates; committees-chairs at lists.owasp.org; Dave Wichers;
Tom Brennan; Sebastien Deleersnyder
Subject: Re: [Global_industry_committee] [Owasp-board] Industry Survey


Eoin and Jeff - good questions and fair concerns.  Let me briefly address

Eoin - I understand your concern about GT riding the OWASP wave.  A couple
points to hopefully assuage:

1.	I'm the primary point of contact within GT.  Yes, of course, I
recognize the value of being associated with OWASP, but in my 5+ years in
the org, I've only acted in ways that respect the mission and culture.  I
will ensure that my firm does not violate our values.
2.	The draft MOU is very clear about what GT's role will be in the
survey.  Our participation outside of the MOU will be limited to individuals
conducting surveys on behalf of OWASP - just as will dozens of others from
various firms across the globe.  
3.	Other than sponsorship of the survey (earned through hundreds of
support hours related to survey execution, analysis and production), the
advantage we receive from this activity will be available to all other OWASP
participants - face time with CISOs - but it will be strictly controlled.  I
intend to host an "interview training session" for all interviewers (GT and
non-GT) to explain how we should conduct ourselves.

Jeff - regarding the goals and output.  I've attached a slide deck that
provides an overview of our intent and approach.  This may answer some of
your questions.

In addition, I should note that GT has extensive experience developing and
executing meaningful, professional surveys for various organizations,
including AGA and TechAmerica.  We know how to do this and do it well.  I'm
happy to host a conference call between OWASP and our primary survey manager
if anybody is interested.

Please let me know if I can address any other questions.


On 8/18/2011 6:16 PM, Eoin wrote: 

The longest email if have written in a while...... 

Jeff we talked about this over a year ago and you still maintain the same
point, I respect that.

The survey in mind shall address the views of industry such that owasp can
listen. The survey is not about what owasp want but what the respondents
It's a good start and Rex has taken and ran with this. Only concern for me
is GT riding the owasp wave, as this survey is for owasp to use in order to
find focus and direction, core aspect of industry focus is to act on
indicate concerns.

I believe the first draft of the survey needs to be reviewed to help ensure
it is asking the right questions as the answers are easy, asking the right
questions are hard. I don't believe GT should have control over the
questions being asked for example. 

Can we agree to pit a little time aside to review the first draft of the
survey such that the majority is happy with the level, direction, intended
audience, amount of questions, coverage etc.




On 18 Aug 2011, at 22:15, "Jeff Williams" <jeff.williams at owasp.org> wrote:



I like the idea of doing a survey and I think collaborating with a firm like
GT is a good idea.  We've discussed the idea for years and I've raised the
same questions every time.  I question whether we have the capability to
produce a good survey instrument.  Survey design is considerably more
difficult than writing down a few questions.  It's a scientific experiment
and it need careful design.


For this, I'd like to understand.


.        What are the specific goals of the survey?

.        What exactly is it that OWASP is trying to find out?


If OWASP is to be responsible for coming up with the questions, we need to
follow some kind of process to derive survey questions that will
specifically answer some interesting questions about our space.   It's hard
to create questions that both achieve our goals and is not biased in any


Personally I think a survey could help answer specific questions around:


.        Standards that OWASP could produce

.        How appsec budgets are divided across training, secure coding,
verification, mgmt.

.        Org structure around appsec roles

.        Metrics used to report appsec to management

.        Percentage of application portfolio regularly assessed in appsec
verification program

.        Percentage of Internal apps vs. external apps covered

.        Use of standard application security controls

.        Which OWASP projects are most useful


But there's a lot of work to change these topics into specific experiments
embodied in one or more survey questions.





From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Tom Brennan
Sent: Thursday, August 18, 2011 12:06 PM
To: OWASP Foundation Board List
Cc: Rex Booth; Michael Coates; Global_industry_committee; Rex Booth;
committees-chairs at lists.owasp.org
Subject: [Owasp-board] Industry Survey




After several months of discussions across global committees the attached
has been submitted by Grant Thorton to conduct a collaborative industry
study.   The agreement is attached for review and approval including citing
reference for end result.


Please read and vote on your decision to support this effort in producing a
collaboration document.  I suspect that we will likely see more of these
types of agreements between business and OWASP to set a understanding as
part of the growing ecosystem that wants to understand


After discussions with multiple parties since AppSecEU I support this and
vote to approve this "project" effort.


Please review and vote YES/NO/ABSTAIN prior to the September Board meeting
at AppSecUSA




Global_industry_committee mailing list
Global_industry_committee at lists.owasp.org

Global_industry_committee mailing list
Global_industry_committee at lists.owasp.org



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20040410/66394126/attachment-0001.html>

More information about the Owasp-board mailing list