[Owasp-leaders] Follow-up from the Code Review Survey @ AppSec USA

Kim Carter kim.carter at owasp.org
Sat Oct 10 20:26:09 UTC 2015


Is this information online somewhere? I think this could be useful for
not just the OWASP leaders. If not, does anyone have any issues if I
blog it?


Kim Carter

OWASP New Zealand Chapter Leader (Christchurch)

Author of *Holistic Info-Sec for Web Developers*
<https://leanpub.com/holistic-infosec-for-web-developers/>

c: +64 274 622 607











On 11/10/15 05:18, Eoin Keary wrote:
> Very cool Gary, Larry
> Do you find any of the results a surprise?
>
>
>
> Eoin Keary
> OWASP Volunteer
> @eoinkeary
>
>
>
> On 10 Oct 2015, at 5:11 p.m., Gary Robinson <gary.robinson at owasp.org
> <mailto:gary.robinson at owasp.org>> wrote:
>
>> Hi All,
>>
>> As some of you may know the OWASP Code Review Guide did a survey of
>> the attendees at AppSec USA.  We wanted to find out how attendees
>> rated the effectiveness of various security tools/reviews at finding
>> issues, such as business logic problems, or each of the OWASP Top
>> 10.  Our intention was to evaluate if Secure Code Review (the topic
>> of our guide) is seen as an effective security process in an
>> organizations SDLC.  These results (below) will be included in the
>> next version of the guide.
>>
>> We want to thank all of those who took part, and communicate the
>> results of the survey (it is Security Awareness Month after all).  In
>> the first part of our survey we asked attendees to rate which of the
>> following security tools/reviews were the most effective in finding:
>>
>> 1) General security vulnerabilities
>> 2) Privacy issues
>> 3) Business logic bugs
>> 4) Compliance issues (such as HIPPA, PCI, etc.)
>> 5) Availability issues
>>
>> The results are as follows:
>>
>> Inline image 1
>>
>> Next we concentrated on the OWASP Top 10 issues, this time the
>> results were as follows:
>>
>> Inline image 2
>>
>> Please feel free to make use of this survey in whatever way you
>> want.  Also feel free to discuss any of the outcomes, for example:
>>
>> a) A high percentage of people prefer manual pen testing as a way of
>> detecting availability/traffic load issues.  Is this specific to any
>> tool, or is it simply because 'load' or 'DoS' testing was not an option?
>> b) For A1, Injection, source code scanning was three times more
>> popular than manual pen testing, does that match your experience?
>> c) For A9, Using Components with Known Vulnerabilities, automated
>> vulnerability scans were far more popular than the rest.
>>
>> Just to note, this type of activity was a great outcome of the
>> Project Summit which took place before the conference.  This survey
>> is just one of the many valuable things to come from that summit. 
>> Thanks to Larry for digitizing this info.
>>
>> Best of luck,
>>
>> Gary Robinson
>> Larry Conklin
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151011/7a64302d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: owasp_member_EmailSignature.gif
Type: image/gif
Size: 5563 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151011/7a64302d/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 87964 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151011/7a64302d/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 290865 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151011/7a64302d/attachment-0003.png>


More information about the OWASP-Leaders mailing list