[Owasp-board] [Global_industry_committee] anyone care to review this "OWASP Survey" document/template

Kate Hartmann kate.hartmann at owasp.org
Wed Jan 5 20:00:43 UTC 2011


Colin, you are awesome!  Thanks for taking the time to work on this with
such focus.

OWASP is lucky to have you among our ranks.

Kate Hartmann
Operations Director
301-275-9403
www.owasp.org 
Skype:  Kate.hartmann1

-----Original Message-----
From: global_industry_committee-bounces at lists.owasp.org
[mailto:global_industry_committee-bounces at lists.owasp.org] On Behalf Of
Colin Watson
Sent: Wednesday, January 05, 2011 10:12 AM
To: Eoin
Cc: Jeff Williams; Dave Wichers; Global_industry_committee; Matt Tesauro
Subject: Re: [Global_industry_committee] anyone care to review this "OWASP
Survey" document/template

Eoin

Some thoughts/queries below.  No need to reply to any of this... just make
up your own mind!

General
------------

1)  If ISC2 are not yet on board, perhaps their log should be removed for
now?

2)  Maybe move the anonymity stuff to the "Introduction", instead of in
"Instructions", and reiterate it at the start of  the "participant
information" section?

3)  Is it necessary to provide definitions of some of the terms used, to
improve the submitted data quality?  For example, "application security" is
used, but so is "web application" - is a mobile application a web
application?  How about SaaS?  A recent BS uses "web product" which I quite
like.

Survey - Investments and challenges
-----------------------------------------------------

4)  In Q1 maybe add the "go to..." like in Q10

5)  In Q2, the second and third answers have the same title (but different
examples) - can they be renamed?

6)  In Q2, would application intrusion detection fall within "dynamic
analysis", or could it be a new option?

7)  In Q2 the use of the phrase "my organization" isn't consistent with the
other options.

8)  In Q2, maybe just truncate after "COTS" since "software" is already
understood?

Relevance of OWASP
-------------------------------

9)  It would have been 15 questions, if the numbering didn't restart here...
so 17 questions.

10) In Q1 of this section, drop "OWASP" from "Top 10" and delete trailing
hyphen

11) In Q1, perhaps order these alphabetically, and/or group by
tools/documents/other?

12) Other projects? O2(!), AppSensor, ...?

13) In Q2 lower case "m" in "Material"

14) In Q3 would "Justifying business case" be worth adding?

Threats and risks
-------------------------

15) In Q4 can we differentiate between internal & external like this?
There seems to be two questons here.. one relating to fraud and one to
attacks, and then for each by whom.  The "whom" could be trusted and
untrusted/unknown/third-party users rather than internal/external?

16) Is Q6 too similar to Q1... or should we explain here the difference?

Tools and technology
-------------------------------

17) The use of "application risk management process" doesn't sound quite
right to me when looking at the "tools" in Q7a.  I don't see a risk
assessment tool for example.  Would "application security processes" be
better?

18) In Q7a should the "i.e." be "e.g." in four places?

19) In Q9, maybe add "Application configuration reviews", "???
compliance audits/reviews", and remove "e.g. penetration testing" from the
intro.

Governance and control
----------------------------------

20) I know this is a draft, but some answers need to have radio buttons and
some check boxes... Q10 needs both.

21) In Q10 it mentions Q23....but means Q10a (currently)

22) In Q13 ISF is "INFORMATION Security Forum"

23) In Q13 at "BSI MM", "CLASP" and "MS SDL"

24) In Q14 is "No assessments performed" needed - all unselected means the
same.  If keft, move to last?

25) In Q15 could we change "ensure" to "verify", or if "ensure" is meant,
add things like "Security requirements defined in specifications",
"Procurement due diligence", "Security obligations defined in contracts",
etc

26) Move "Thank you for your participation" to after "Participant
information".

Participant information
--------------------------------

27) Not for profits can have (huge) turnovers so delete the text in
parentheses in "annual revenue"

28) In "Industry", where has this list come from?  For example "Provider
care" seems quite odd, and there is "Private Equity" as well as "Banking &
capital markets".  Do D&B have a better list, or could we ask for SIC?

29)  Do we want to weed out security consultants and security vendors from
the responses somehow?  i.e. "users" rather than "dealers".

Other
--------

30) And as a final check, have a read of these two views on surveys:

    19 Lessons from United Airlines on How To Build A Crappy Survey
 
http://www.uie.com/brainsparks/2010/12/26/19-lessons-from-united-airlines-on
-how-to-build-a-crappy-survey/

    The Use and Misuse of Surveys
    https://www.karlalbrecht.com/articles/smmisuse.shtml

Colin



On 4 January 2011 16:53, Eoin <eoin.keary at owasp.org> wrote:
> David and myself put this together.
>
> Would appreciate your views on the questions and also the type of data 
> the questions will yield.
> Was to be done with ISC2 partnership but not sure about this.
>
> I believe an e-survey would suit best, such this is a template.
>
> This should be driven by the industry committee in terms of delivery 
> but needs some board approval, stringent review and overall agrrment 
> on the objective and content.
>
> thoughts?
> Happy to discuss at summit.
>
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
>
> Sent from my i-Transmogrifier
> http://asg.ie/
> https://twitter.com/EoinKeary
>
> _______________________________________________
> Global_industry_committee mailing list 
> Global_industry_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>
>
_______________________________________________
Global_industry_committee mailing list
Global_industry_committee at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/global_industry_committee




More information about the Owasp-board mailing list