[Owasp-board] Industry Survey

Jeff Williams jeff.williams at owasp.org
Thu Aug 18 21:15:41 UTC 2011



I like the idea of doing a survey and I think collaborating with a firm like
GT is a good idea.  We've discussed the idea for years and I've raised the
same questions every time.  I question whether we have the capability to
produce a good survey instrument.  Survey design is considerably more
difficult than writing down a few questions.  It's a scientific experiment
and it need careful design.


For this, I'd like to understand.


.        What are the specific goals of the survey?

.        What exactly is it that OWASP is trying to find out?


If OWASP is to be responsible for coming up with the questions, we need to
follow some kind of process to derive survey questions that will
specifically answer some interesting questions about our space.   It's hard
to create questions that both achieve our goals and is not biased in any


Personally I think a survey could help answer specific questions around:


.        Standards that OWASP could produce

.        How appsec budgets are divided across training, secure coding,
verification, mgmt.

.        Org structure around appsec roles

.        Metrics used to report appsec to management

.        Percentage of application portfolio regularly assessed in appsec
verification program

.        Percentage of Internal apps vs. external apps covered

.        Use of standard application security controls

.        Which OWASP projects are most useful


But there's a lot of work to change these topics into specific experiments
embodied in one or more survey questions.





From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Tom Brennan
Sent: Thursday, August 18, 2011 12:06 PM
To: OWASP Foundation Board List
Cc: Rex Booth; Michael Coates; Global_industry_committee; Rex Booth;
committees-chairs at lists.owasp.org
Subject: [Owasp-board] Industry Survey




After several months of discussions across global committees the attached
has been submitted by Grant Thorton to conduct a collaborative industry
study.   The agreement is attached for review and approval including citing
reference for end result.


Please read and vote on your decision to support this effort in producing a
collaboration document.  I suspect that we will likely see more of these
types of agreements between business and OWASP to set a understanding as
part of the growing ecosystem that wants to understand


After discussions with multiple parties since AppSecEU I support this and
vote to approve this "project" effort.


Please review and vote YES/NO/ABSTAIN prior to the September Board meeting
at AppSecUSA




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20110818/862bc5f2/attachment-0002.html>

More information about the Owasp-board mailing list