[Owasp-board] FW: OWASP Global survey ?

Sebastien Deleersnyder seba at deleersnyder.eu
Mon Feb 25 19:57:15 UTC 2008


Hi,

 

See the answers from Eoin below.

OWASP could certainly benefit from his and E&Y's experience in doing this.

I subscribe to Eoin's point of view:

"I feel like I am trying to sell you something here? Any IS manager, CISO,
ISO will tell you metrics are very hard to obtain.

This would give exposure of OWASP to more than technical practitioners but
decision makers across industry."

If well managed the ROI of this can be high. Certainly coming from an
independent organisation such as OWASP.

 

I propose to ask Eoin doing this as a Soc08 project, or do we do this
seperately?

 

Tom: do you want to be the board sponsor? If not: I have no problem doing
this - but the coming months my OWASP energy goes into the EU conference

 

 

Regards

 

Seba

 

  _____  

From: eoinkeary at gmail.com [mailto:eoinkeary at gmail.com] On Behalf Of Eoin
Sent: maandag 25 februari 2008 11:07
To: Sebastien Deleersnyder; OWASP Board
Subject: Re: OWASP Global survey ?

 

See below,

On 24/02/2008, Sebastien Deleersnyder <seba at deleersnyder.eu> wrote:

Hi Eoin,

 

Regarding you suggestion on the survey below. We think it is a great idea
but have some questions:

 

We'd like to find out what your experience with the survey is...

 - who designed the instrument?

The instrument was designed by EY.Its 10 years running. It is a web based
survey. I was involved in writing the questionnaire
 

 - how much did the effort cost?

 

EY being commercial, we took time if required to do the survey with the
participants. To author the questionnaire took about a month, many reviews
were performed to ensure the questions covered the correct topics in correct
amounts. Review takes the most time. The dollar cost to EY would be
confidential I'm afraid.


 

 - how much time did it take and how many people were involved?

 

A month to draft the questions. Peer review takes some time. I would suggest
hosting the survey on the OWASP site or webmonkey


 

 - how were participants recruited?

 

It being commercial participants were willing as they knew of the benefit of
the results from a strategic perspective. Even if we targeted OWASP member
companies amongst others we could get a good demographic of the security
industry.


 

 - how much time was spent with each participant?

 

If needed 1-2 hours but not all participants need to be helped. This is
simply a commercial decision to assist participants.


 

 - how much time was spend working with the data?

 

The data analysis took over two months as over 500 respondents had to be
analysed. This would be much smaller for OWASP in my opinion.


 

 - how were the results promoted?

 

Printed brochure, Breakfast meeting in local business units. PDF for
download. Results were Anonymous and stated as a percentage of respondents.

 

 

If you need any more information please ask.

I feel like I am trying to sell you something here? Any IS manager, CISO,
ISO will tell you metrics are very hard to obtain.

This would give exposure of OWASP to more than technical practitioners but
decision makers across industry.

 


 

 

Regards

 

Seba

 

In response to your suggestion:

 

I have been suggesting an OWASP Global survey since December which I could
run with. I have done them before for "big 4" companies so know how to do
it.

 

Check out the EY GISS for an example of a global survey but our survey would
be more web-app centric.

 

If The Board wish to proceed with a global survey please let me know.

The main issue is the questions to be asked which should be agreed among the
leaders of OWASP.

 

http://www.ey.com/global/content.nsf/International/Assurance_
<http://www.ey.com/global/content.nsf/International/Assurance_&_Advisory_-_T
e> &_Advisory_-_Te

chnology_and_Security_Risk_-_Global_Information_Security_Survey_2007

 

ta ta,

Ek

 

 




-- 
Eoin Keary OWASP - Ireland
http://www.owasp.org/local/ireland.html
http://www.owasp.org/index.php/OWASP_Testing_Project
http://www.owasp.org/index.php/OWASP_Code_Review_Project 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20080225/1e1260ab/attachment-0002.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: _AVG certification_.txt
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20080225/1e1260ab/attachment-0002.txt>


More information about the Owasp-board mailing list