https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=BgelbordOWASP - User contributions [en]2026-05-01T18:01:13ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=78100Category:OWASP Security Spending Benchmarks2010-02-07T19:17:20Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
== NEXT REPORT CURRENTLY COLLECTING RESPONSES - AIMING FOR Q2 DELIVERY ==<br />
<br />
== Q2 Report Published - Focus on Cloud Computing ==<br />
<br />
The Q2 report of the OWASP Security Spending Benchmarks Project is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/f/f0/OWASP_SSB_Q2_Project_Report.pdf PDF Download]]<br />
<br />
There are a number of key findings in the Q2 09 study:<br />
<br />
* Software-as-a-Service is in much greater use than Infrastructure-as-a-Service or Platform-as-a-Service. Over half of respondents make moderate or significant use of SaaS. Less than a quarter of all respondents make any use of either IaaS or PaaS.<br />
<br />
* Security spending does not change significantly as a result of cloud computing. Respondents did not report significant spending changes in the areas of network security, third party security reviews, security personnel, or identity management.<br />
<br />
* Organizations are not doing their homework when it comes to cloud security. When engaging a cloud partner, only half of organizations inquire about common security-related issues, and only a third require documentation of security measures in place.<br />
<br />
* The risk of an undetected data breach is the greatest concern with using cloud computing, closely followed by the risk of a public data breach.<br />
<br />
* Compliance and standards requirements related to cloud computing are not well understood. Respondents report having the greatest understanding of PCI requirements relating to cloud computing and the least understanding of HIPAA cloud requirements.<br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The Q1 2009 report of the OWASP Security Spending Benchmarks Project is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the Q1 09 study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-June 10th (EXTENDED): Collect survey responses through partner network.<br /><br />
4. June 10th-June 20th: Analyze results and produce draft report.<br /><br />
5. June 20th - June 25th: Get partner feedback on draft and make edits.<br /><br />
6. June 30th: Final report published<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(DONE)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]<br />
<br />
Network World [http://www.networkworld.com/news/2009/032609-survey-gauges-web-application-security.html Survey Gauges Web Application Security Spending]<br />
<br />
The IT Chronicle [http://www.theitchronicle.com/content/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
The Industry Standard [http://www.thestandard.com/news/2009/03/26/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO.com [http://www.cio.com/article/486881/Survey_Gauges_Web_Application_Security_Spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO Espana [http://www.idg.es/cio/Mas-de-un-25_por_ciento-de-las-empresas-elevara-su-gasto-en-seguridad-de-aplicaciones-Web/doc78597-seguridad.htm Más de un 25% de las empresas elevará su gasto en seguridad de aplicaciones Web]<br />
<br />
Information Week [http://www.informationweek.com/blog/main/archives/2009/03/firms_taking_we.html Firms Taking Web App Security (More) Seriously]<br />
<br />
Search Security [http://securitywireweekly.blogs.techtarget.com/2009/03/25/owasp-security-benchmark-study-mobile-threats-real/ Podcast]<br />
<br />
Search Security [http://searchsecurity.techtarget.com/video/0,297151,sid14_gci1352074,00.html Video Interview with Boaz Gelbord]<br />
<br />
CIO India [http://www.cio.in/news/viewArticle/ARTICLEID=5931602 Web Apps Security Spending Rising]<br />
<br />
Information Security Magazine [http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1352162,00.html Web browsers remain vulnerable to user mistakes]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation and Founder, [http://www.securityscoreboard.com/ Security Scoreboard]). Boaz can be reached directly at '''boaz.gelbord AT owasp.org''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Aspect_logo_resized.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:CSI.jpg | 200px]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:The-open-group.gif]]<br clear="all"><br />
<br />
[[Image:Rapid7.png]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=78099Category:OWASP Security Spending Benchmarks2010-02-07T19:16:39Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
== NEXT REPORT CURRENTLY COLLECTING RESPONSES - AIMING FOR Q2 DELIVERY ==<br />
<br />
== Q2 Report Published - Focus on Cloud Computing ==<br />
<br />
The Q2 report of the OWASP Security Spending Benchmarks Project is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/f/f0/OWASP_SSB_Q2_Project_Report.pdf PDF Download]]<br />
<br />
There are a number of key findings in the Q2 09 study:<br />
<br />
* Software-as-a-Service is in much greater use than Infrastructure-as-a-Service or Platform-as-a-Service. Over half of respondents make moderate or significant use of SaaS. Less than a quarter of all respondents make any use of either IaaS or PaaS.<br />
<br />
* Security spending does not change significantly as a result of cloud computing. Respondents did not report significant spending changes in the areas of network security, third party security reviews, security personnel, or identity management.<br />
<br />
* Organizations are not doing their homework when it comes to cloud security. When engaging a cloud partner, only half of organizations inquire about common security-related issues, and only a third require documentation of security measures in place.<br />
<br />
* The risk of an undetected data breach is the greatest concern with using cloud computing, closely followed by the risk of a public data breach.<br />
<br />
* Compliance and standards requirements related to cloud computing are not well understood. Respondents report having the greatest understanding of PCI requirements relating to cloud computing and the least understanding of HIPAA cloud requirements.<br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The Q1 2009 report of the OWASP Security Spending Benchmarks Project is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the Q1 09 study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-June 10th (EXTENDED): Collect survey responses through partner network.<br /><br />
4. June 10th-June 20th: Analyze results and produce draft report.<br /><br />
5. June 20th - June 25th: Get partner feedback on draft and make edits.<br /><br />
6. June 30th: Final report published<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(DONE)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]<br />
<br />
Network World [http://www.networkworld.com/news/2009/032609-survey-gauges-web-application-security.html Survey Gauges Web Application Security Spending]<br />
<br />
The IT Chronicle [http://www.theitchronicle.com/content/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
The Industry Standard [http://www.thestandard.com/news/2009/03/26/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO.com [http://www.cio.com/article/486881/Survey_Gauges_Web_Application_Security_Spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO Espana [http://www.idg.es/cio/Mas-de-un-25_por_ciento-de-las-empresas-elevara-su-gasto-en-seguridad-de-aplicaciones-Web/doc78597-seguridad.htm Más de un 25% de las empresas elevará su gasto en seguridad de aplicaciones Web]<br />
<br />
Information Week [http://www.informationweek.com/blog/main/archives/2009/03/firms_taking_we.html Firms Taking Web App Security (More) Seriously]<br />
<br />
Search Security [http://securitywireweekly.blogs.techtarget.com/2009/03/25/owasp-security-benchmark-study-mobile-threats-real/ Podcast]<br />
<br />
Search Security [http://searchsecurity.techtarget.com/video/0,297151,sid14_gci1352074,00.html Video Interview with Boaz Gelbord]<br />
<br />
CIO India [http://www.cio.in/news/viewArticle/ARTICLEID=5931602 Web Apps Security Spending Rising]<br />
<br />
Information Security Magazine [http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1352162,00.html Web browsers remain vulnerable to user mistakes]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation and Founder, [http://securityscoreboard.com/ Security Scoreboard]). Boaz can be reached directly at '''boaz.gelbord AT owasp.org''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Aspect_logo_resized.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:CSI.jpg | 200px]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:The-open-group.gif]]<br clear="all"><br />
<br />
[[Image:Rapid7.png]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Podcast_News&diff=76621Podcast News2010-01-22T01:20:27Z<p>Bgelbord: /* OWASP Podcast Roundtable */</p>
<hr />
<div>'''[[Podcast_News|OWASP Podcast News]]''' <br />
<br />
OWASP NEWS October 2009<br> <br />
<br />
== OWASP Podcast Roundtable ==<br />
<br />
'''Next Recording&nbsp;: January 22, 2010''' <br />
<br />
==== [Full-disclosure] Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack ====<br />
<br />
http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html <br />
<br />
''Discussion'':&nbsp;holey OS code, Batman! how do you even start to get a handle on this bugger? this isn't web app specific, but it squarely hits secure coding between the eyes. how does a bug like this survive for 17 years? <br />
<br />
==== Top Ten Web Hacking Techniques of 2009 (Official) ====<br />
<br />
http://jeremiahgrossman.blogspot.com/2010/01/top-ten-web-hacking-techniques-of-2009.html <br />
<br />
''Discussion'':&nbsp;do you agree? anything jump out? any good back-stories? <br />
<br />
==== Google, China, "Aurora", and Advanced Persistent Threat ====<br />
<br />
(''this makes me want to start chanting "lions and tigers and bears - OH MY!"'') <br />
<br />
Google: A new approach to China<br> http://googleblog.blogspot.com/2010/01/new-approach-to-china.html <br />
<br />
Operation “Aurora” Hit Google, Others<br> http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-others/ <br />
<br />
Hack of Google, Adobe Conducted Through Zero-Day IE Flaw<br> http://www.wired.com/threatlevel/2010/01/hack-of-adob/ <br />
<br />
Microsoft Security Advisory (979352) Vulnerability in Internet Explorer Could Allow Remote Code Execution<br> http://www.microsoft.com/technet/security/advisory/979352.mspx <br />
<br />
Google v China<br> http://taosecurity.blogspot.com/2010/01/google-v-china.html <br />
<br />
Web-based systems vs. Advanced Persistent Threat<br> http://jeremiahgrossman.blogspot.com/2010/01/web-based-systems-vs-advanced.html <br />
<br />
''Discussion'':&nbsp;is this important news? how does this affect the development community, particularly by extension? has anything really changed? <br />
<br />
''Discussion'':&nbsp;A new IE 0-day brings mega-tech-corps to their knees. France and Germany respond by recommending against the use of IE altogether. Is this news? with so many IE6 apps still in use today, does it even matter? <br />
<br />
''Discussion'':&nbsp;this is also the source of a couple potential buzzword winners for 2010... "Operation Aurora" and "advanced persistent threat"... <br />
<br />
==== Microsoft Advances Search Privacy with Bing ====<br />
<br />
http://microsoftontheissues.com/cs/blogs/mscorp/archive/2010/01/18/microsoft-advances-search-privacy-with-bing.aspx <br />
<br />
''Discussion'':&nbsp;is this really that big a deal? do they really need the IP address at all? is this doing enough, or does it fall far short? <br />
<br />
==== Microsoft Seeks New Legal Framework For Cloud ====<br />
<br />
http://www.informationweek.com/news/government/policy/showArticle.jhtml?articleID=222301657&amp;cid=IWK_Government-Twitter <br />
<br />
''Discussion'':&nbsp;what sort of legislation/regulation do we need? what would be useful? we all know, I think, that's it going to happen one way or another. the question is what is and isn't useful.<br />
<br />
==== Imperva Report on Password Practices ====<br />
<br />
http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf<br />
<br />
''Discussion'':&nbsp;is this surprising? Is enforced password complexity the answer? Is this the users' problem and should we care?</div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=74617Category:OWASP Security Spending Benchmarks2009-12-02T22:42:43Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
== NEXT REPORT TO BE PUBLISHED IN Q4 ==<br />
<br />
== Q2 Report Published - Focus on Cloud Computing ==<br />
<br />
The Q2 report of the OWASP Security Spending Benchmarks Project is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/f/f0/OWASP_SSB_Q2_Project_Report.pdf PDF Download]]<br />
<br />
There are a number of key findings in the Q2 09 study:<br />
<br />
* Software-as-a-Service is in much greater use than Infrastructure-as-a-Service or Platform-as-a-Service. Over half of respondents make moderate or significant use of SaaS. Less than a quarter of all respondents make any use of either IaaS or PaaS.<br />
<br />
* Security spending does not change significantly as a result of cloud computing. Respondents did not report significant spending changes in the areas of network security, third party security reviews, security personnel, or identity management.<br />
<br />
* Organizations are not doing their homework when it comes to cloud security. When engaging a cloud partner, only half of organizations inquire about common security-related issues, and only a third require documentation of security measures in place.<br />
<br />
* The risk of an undetected data breach is the greatest concern with using cloud computing, closely followed by the risk of a public data breach.<br />
<br />
* Compliance and standards requirements related to cloud computing are not well understood. Respondents report having the greatest understanding of PCI requirements relating to cloud computing and the least understanding of HIPAA cloud requirements.<br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The Q1 2009 report of the OWASP Security Spending Benchmarks Project is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the Q1 09 study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-June 10th (EXTENDED): Collect survey responses through partner network.<br /><br />
4. June 10th-June 20th: Analyze results and produce draft report.<br /><br />
5. June 20th - June 25th: Get partner feedback on draft and make edits.<br /><br />
6. June 30th: Final report published<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(DONE)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]<br />
<br />
Network World [http://www.networkworld.com/news/2009/032609-survey-gauges-web-application-security.html Survey Gauges Web Application Security Spending]<br />
<br />
The IT Chronicle [http://www.theitchronicle.com/content/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
The Industry Standard [http://www.thestandard.com/news/2009/03/26/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO.com [http://www.cio.com/article/486881/Survey_Gauges_Web_Application_Security_Spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO Espana [http://www.idg.es/cio/Mas-de-un-25_por_ciento-de-las-empresas-elevara-su-gasto-en-seguridad-de-aplicaciones-Web/doc78597-seguridad.htm Más de un 25% de las empresas elevará su gasto en seguridad de aplicaciones Web]<br />
<br />
Information Week [http://www.informationweek.com/blog/main/archives/2009/03/firms_taking_we.html Firms Taking Web App Security (More) Seriously]<br />
<br />
Search Security [http://securitywireweekly.blogs.techtarget.com/2009/03/25/owasp-security-benchmark-study-mobile-threats-real/ Podcast]<br />
<br />
Search Security [http://searchsecurity.techtarget.com/video/0,297151,sid14_gci1352074,00.html Video Interview with Boaz Gelbord]<br />
<br />
CIO India [http://www.cio.in/news/viewArticle/ARTICLEID=5931602 Web Apps Security Spending Rising]<br />
<br />
Information Security Magazine [http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1352162,00.html Web browsers remain vulnerable to user mistakes]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''boaz.gelbord AT owasp.org''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Aspect_logo_resized.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:CSI.jpg | 200px]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:The-open-group.gif]]<br clear="all"><br />
<br />
[[Image:Rapid7.png]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=72594Category:OWASP Security Spending Benchmarks2009-11-02T19:15:57Z<p>Bgelbord: added Aspect logo</p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
== NEXT REPORT TO BE PUBLISHED IN Q4 ==<br />
<br />
== Q2 Report Published - Focus on Cloud Computing ==<br />
<br />
The Q2 report of the OWASP Security Spending Benchmarks Project is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/f/f0/OWASP_SSB_Q2_Project_Report.pdf PDF Download]]<br />
<br />
There are a number of key findings in the Q2 09 study:<br />
<br />
* Software-as-a-Service is in much greater use than Infrastructure-as-a-Service or Platform-as-a-Service. Over half of respondents make moderate or significant use of SaaS. Less than a quarter of all respondents make any use of either IaaS or PaaS.<br />
<br />
* Security spending does not change significantly as a result of cloud computing. Respondents did not report significant spending changes in the areas of network security, third party security reviews, security personnel, or identity management.<br />
<br />
* Organizations are not doing their homework when it comes to cloud security. When engaging a cloud partner, only half of organizations inquire about common security-related issues, and only a third require documentation of security measures in place.<br />
<br />
* The risk of an undetected data breach is the greatest concern with using cloud computing, closely followed by the risk of a public data breach.<br />
<br />
* Compliance and standards requirements related to cloud computing are not well understood. Respondents report having the greatest understanding of PCI requirements relating to cloud computing and the least understanding of HIPAA cloud requirements.<br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The Q1 2009 report of the OWASP Security Spending Benchmarks Project is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the Q1 09 study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-June 10th (EXTENDED): Collect survey responses through partner network.<br /><br />
4. June 10th-June 20th: Analyze results and produce draft report.<br /><br />
5. June 20th - June 25th: Get partner feedback on draft and make edits.<br /><br />
6. June 30th: Final report published<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(DONE)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]<br />
<br />
Network World [http://www.networkworld.com/news/2009/032609-survey-gauges-web-application-security.html Survey Gauges Web Application Security Spending]<br />
<br />
The IT Chronicle [http://www.theitchronicle.com/content/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
The Industry Standard [http://www.thestandard.com/news/2009/03/26/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO.com [http://www.cio.com/article/486881/Survey_Gauges_Web_Application_Security_Spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO Espana [http://www.idg.es/cio/Mas-de-un-25_por_ciento-de-las-empresas-elevara-su-gasto-en-seguridad-de-aplicaciones-Web/doc78597-seguridad.htm Más de un 25% de las empresas elevará su gasto en seguridad de aplicaciones Web]<br />
<br />
Information Week [http://www.informationweek.com/blog/main/archives/2009/03/firms_taking_we.html Firms Taking Web App Security (More) Seriously]<br />
<br />
Search Security [http://securitywireweekly.blogs.techtarget.com/2009/03/25/owasp-security-benchmark-study-mobile-threats-real/ Podcast]<br />
<br />
Search Security [http://searchsecurity.techtarget.com/video/0,297151,sid14_gci1352074,00.html Video Interview with Boaz Gelbord]<br />
<br />
CIO India [http://www.cio.in/news/viewArticle/ARTICLEID=5931602 Web Apps Security Spending Rising]<br />
<br />
Information Security Magazine [http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1352162,00.html Web browsers remain vulnerable to user mistakes]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''boaz.gelbord AT owasp.org''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Aspect_logo_resized.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:CSI.jpg | 200px]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:The-open-group.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=File:Aspect_logo_resized.jpg&diff=72591File:Aspect logo resized.jpg2009-11-02T19:13:58Z<p>Bgelbord: </p>
<hr />
<div></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Podcast_News&diff=69230Podcast News2009-09-17T19:08:51Z<p>Bgelbord: </p>
<hr />
<div>'''[[Podcast_News|OWASP Podcast News]]'''<br />
<br />
OWASP NEWS April 2009<br/><br />
<br />
==OWASP General News==<br />
<br><br />
Global Committees progress<br />
https://www.owasp.org/index.php/Global_Committee_Pages<br />
<br><br />
What should the next OWASP Top 10 contain? http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project<br />
<br><br />
Upcoming Conferences<br />
http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference<br />
<br><br />
Season of Code 2009<br />
http://www.owasp.org/index.php/OWASP_Season_of_Code_2009<br />
<br><br />
Board Mins.<br />
http://www.owasp.org/index.php/OWASP_Board_Meetings<br />
<br />
==OWASP AppSec News==<br />
;6/1 The State of Web Application and Data Security http://securosis.com/blog/the-state-of-web-application-and-data-security-mid-2009/<br />
;6/3 The Encryption Myth http://www.boazgelbord.com/2009/06/encryption-myth.html <br />
;6/16 Opera Invites You To Join The Cloud http://www.boazgelbord.com/2009/06/opera-invites-you-to-join-cloud.html <br />
;6/16 Google Cloud Told To Encrypt Itself http://www.theregister.co.uk/2009/06/16/google_and_https/ <br />
;6/20 Nevada Mandates PCI http://www.boazgelbord.com/2009/06/nevada-mandates-pci-standard.html <br />
;6/30 OWASP Security Spending Benchmarks Project for Q2 Published http://www.owasp.org/images/f/f0/OWASP_SSB_Q2_Project_Report.pdf<br />
<br><br />
<br><br />
<br />
'''August-September 2009'''<br />
<br />
1. The Top Cyber Security Risks (SANS) http://www.sans.org/top-cyber-security-risks/ <br />
<br />
2. Google to deliver “Government Cloud” in 2010 http://www.computerworld.com/s/article/9138075/Google_to_deliver_government_cloud_to_feds_in_2010 <br />
<br />
3. Overcoming Objections to an Application Security Program<br />
http://jeremiahgrossman.blogspot.com/2009/08/overcoming-objections-to-application.html <br />
<br />
4. Wordpress Bugs…A Disturbing Vulnerability http://preachsecurity.blogspot.com/2009/08/wordpress-bugs-disturbing-vulnerability.html <br />
<br />
5. SSL Threat Model http://blog.ivanristic.com/2009/09/ssl-threat-model.html<br />
<br />
6. Malware Lingers Months on Infected PCs http://www.theregister.co.uk/2009/09/15/malware_persistence/<br />
<br />
7. Are Web Application Security Testing Tools a Waste of Money<br />
http://blogs.gartner.com/neil_macdonald/2009/08/25/are-web-application-security-testing-tools-a-waste-of-time-and-money/ <br />
<br />
8. Application Vulnerability Scanners Should Communicate with Application Firewalls<br />
http://blogs.gartner.com/neil_macdonald/2009/08/19/security-no-brainer-9-application-vulnerability-scanners-should-communicate-with-application-firewalls/ <br />
<br />
9. Flash Cookies and Privacy http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1446862</div>Bgelbordhttps://wiki.owasp.org/index.php?title=Podcast_News&diff=69229Podcast News2009-09-17T19:08:14Z<p>Bgelbord: </p>
<hr />
<div>'''[[Podcast_News|OWASP Podcast News]]'''<br />
<br />
OWASP NEWS April 2009<br/><br />
<br />
==OWASP General News==<br />
<br><br />
Global Committees progress<br />
https://www.owasp.org/index.php/Global_Committee_Pages<br />
<br><br />
What should the next OWASP Top 10 contain? http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project<br />
<br><br />
Upcoming Conferences<br />
http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference<br />
<br><br />
Season of Code 2009<br />
http://www.owasp.org/index.php/OWASP_Season_of_Code_2009<br />
<br><br />
Board Mins.<br />
http://www.owasp.org/index.php/OWASP_Board_Meetings<br />
<br />
==OWASP AppSec News==<br />
;6/1 The State of Web Application and Data Security http://securosis.com/blog/the-state-of-web-application-and-data-security-mid-2009/<br />
;6/3 The Encryption Myth http://www.boazgelbord.com/2009/06/encryption-myth.html <br />
;6/16 Opera Invites You To Join The Cloud http://www.boazgelbord.com/2009/06/opera-invites-you-to-join-cloud.html <br />
;6/16 Google Cloud Told To Encrypt Itself http://www.theregister.co.uk/2009/06/16/google_and_https/ <br />
;6/20 Nevada Mandates PCI http://www.boazgelbord.com/2009/06/nevada-mandates-pci-standard.html <br />
;6/30 OWASP Security Spending Benchmarks Project for Q2 Published http://www.owasp.org/images/f/f0/OWASP_SSB_Q2_Project_Report.pdf<br />
<br><br />
<br><br />
<br />
'''August-September 2009'''<br />
<br />
1. The Top Cyber Security Risks (SANS) http://www.sans.org/top-cyber-security-risks/ <br />
<br />
2. Google to deliver “Government Cloud” in 2010 http://www.computerworld.com/s/article/9138075/Google_to_deliver_government_cloud_to_feds_in_2010 <br />
<br />
3. Overcoming Objections to an Application Security Program<br />
http://jeremiahgrossman.blogspot.com/2009/08/overcoming-objections-to-application.html <br />
<br />
4. Wordpress Bugs…A Disturbing Vulnerability http://preachsecurity.blogspot.com/2009/08/wordpress-bugs-disturbing-vulnerability.html <br />
<br />
5. SSL Threat Model http://blog.ivanristic.com/2009/09/ssl-threat-model.html<br />
<br />
6. Malware Lingers Months on Infected PCs http://www.theregister.co.uk/2009/09/15/malware_persistence/<br />
<br />
7. Are Web Application Security Testing Tools a Waste of Money<br />
http://blogs.gartner.com/neil_macdonald/2009/08/25/are-web-application-security-testing-tools-a-waste-of-time-and-money/ <br />
<br />
8. Application Vulnerability Scanners Should Communicate with Application Firewalls<br />
http://blogs.gartner.com/neil_macdonald/2009/08/19/security-no-brainer-9-application-vulnerability-scanners-should-communicate-with-application-firewalls/ <br />
<br />
8. Flash Cookies and Privacy http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1446862</div>Bgelbordhttps://wiki.owasp.org/index.php?title=Podcast_News&diff=66445Podcast News2009-07-23T19:25:04Z<p>Bgelbord: added June articles</p>
<hr />
<div>'''[[Podcast_News|OWASP Podcast News]]'''<br />
<br />
OWASP NEWS April 2009<br/><br />
<br />
==OWASP General News==<br />
<br><br />
Global Committees progress<br />
https://www.owasp.org/index.php/Global_Committee_Pages<br />
<br><br />
What should the next OWASP Top 10 contain? http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project<br />
<br><br />
Upcoming Conferences<br />
http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference<br />
<br><br />
Season of Code 2009<br />
http://www.owasp.org/index.php/OWASP_Season_of_Code_2009<br />
<br><br />
Board Mins.<br />
http://www.owasp.org/index.php/OWASP_Board_Meetings<br />
<br />
==OWASP AppSec News==<br />
;5/15 Does Tokenization Solve Anything? http://www.secureconsulting.net/2009/05/does_tokenization_solve_anythi.html<br />
;5/16 Daily Dave and crew talk browser-based client side crypto http://seclists.org/dailydave/2009/q2/0093.html<br />
;5/19 It’s No Secret. Measuring the Security and Reliability of Authentication via ‘Secret’ Questions http://newschoolsecurity.com/2009/05/179/<br />
;5/19 Some Thoughts on the OWASP Top Ten http://blog.ncircle.com/blogs/vert/archives/2009/05/some_thoughts_on_the_owasp_top.html<br />
;5/19 Making Secure Code Easier http://blogs.msdn.com/sdl/archive/2009/05/19/making-secure-code-easier.aspx<br />
;5/19 Java deserialization issues http://blog.cr0.org/2009/05/write-once-own-everyone.html<br />
;5/20 Parameter Pollution http://www.h-online.com/security/New-type-of-attack-on-web-applications-Parameter-Pollution--/news/113333/from/rss<br />
;5/28 Don Ankney LayerOne XSS Presentation http://hackerco.de/2009/05/layerone-presentation-video.html<br />
;5/28 Logging in the Age of Web Services http://1raindrop.typepad.com/1_raindrop/2009/05/logging-in-the-age-of-web-services.html<br />
<br />
;6/1 The State of Web Application and Data Security http://securosis.com/blog/the-state-of-web-application-and-data-security-mid-2009/<br />
<br />
;6/3 The Encryption Myth http://www.boazgelbord.com/2009/06/encryption-myth.html <br />
<br />
;6/16 Opera Invites You To Join The Cloud http://www.boazgelbord.com/2009/06/opera-invites-you-to-join-cloud.html <br />
<br />
;6/16 Google Cloud Told To Encrypt Itself http://www.theregister.co.uk/2009/06/16/google_and_https/ <br />
<br />
;6/20 Nevada Mandates PCI http://www.boazgelbord.com/2009/06/nevada-mandates-pci-standard.html <br />
<br />
;6/30 OWASP Security Spending Benchmarks Project for Q2 Published http://www.owasp.org/images/f/f0/OWASP_SSB_Q2_Project_Report.pdf</div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=66361Category:OWASP Security Spending Benchmarks2009-07-21T21:30:00Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
== NEXT REPORT TO BE PUBLISHED IN Q4 ==<br />
<br />
== Q2 Report Published - Focus on Cloud Computing ==<br />
<br />
The Q2 report of the OWASP Security Spending Benchmarks Project is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/f/f0/OWASP_SSB_Q2_Project_Report.pdf PDF Download]]<br />
<br />
There are a number of key findings in the Q2 09 study:<br />
<br />
* Software-as-a-Service is in much greater use than Infrastructure-as-a-Service or Platform-as-a-Service. Over half of respondents make moderate or significant use of SaaS. Less than a quarter of all respondents make any use of either IaaS or PaaS.<br />
<br />
* Security spending does not change significantly as a result of cloud computing. Respondents did not report significant spending changes in the areas of network security, third party security reviews, security personnel, or identity management.<br />
<br />
* Organizations are not doing their homework when it comes to cloud security. When engaging a cloud partner, only half of organizations inquire about common security-related issues, and only a third require documentation of security measures in place.<br />
<br />
* The risk of an undetected data breach is the greatest concern with using cloud computing, closely followed by the risk of a public data breach.<br />
<br />
* Compliance and standards requirements related to cloud computing are not well understood. Respondents report having the greatest understanding of PCI requirements relating to cloud computing and the least understanding of HIPAA cloud requirements.<br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The Q1 2009 report of the OWASP Security Spending Benchmarks Project is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the Q1 09 study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-June 10th (EXTENDED): Collect survey responses through partner network.<br /><br />
4. June 10th-June 20th: Analyze results and produce draft report.<br /><br />
5. June 20th - June 25th: Get partner feedback on draft and make edits.<br /><br />
6. June 30th: Final report published<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(DONE)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]<br />
<br />
Network World [http://www.networkworld.com/news/2009/032609-survey-gauges-web-application-security.html Survey Gauges Web Application Security Spending]<br />
<br />
The IT Chronicle [http://www.theitchronicle.com/content/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
The Industry Standard [http://www.thestandard.com/news/2009/03/26/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO.com [http://www.cio.com/article/486881/Survey_Gauges_Web_Application_Security_Spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO Espana [http://www.idg.es/cio/Mas-de-un-25_por_ciento-de-las-empresas-elevara-su-gasto-en-seguridad-de-aplicaciones-Web/doc78597-seguridad.htm Más de un 25% de las empresas elevará su gasto en seguridad de aplicaciones Web]<br />
<br />
Information Week [http://www.informationweek.com/blog/main/archives/2009/03/firms_taking_we.html Firms Taking Web App Security (More) Seriously]<br />
<br />
Search Security [http://securitywireweekly.blogs.techtarget.com/2009/03/25/owasp-security-benchmark-study-mobile-threats-real/ Podcast]<br />
<br />
Search Security [http://searchsecurity.techtarget.com/video/0,297151,sid14_gci1352074,00.html Video Interview with Boaz Gelbord]<br />
<br />
CIO India [http://www.cio.in/news/viewArticle/ARTICLEID=5931602 Web Apps Security Spending Rising]<br />
<br />
Information Security Magazine [http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1352162,00.html Web browsers remain vulnerable to user mistakes]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''boaz.gelbord AT owasp.org''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:CSI.jpg | 200px]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:The-open-group.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=65026Category:OWASP Security Spending Benchmarks2009-06-30T04:44:31Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
== Q2 Report Published - Focus on Cloud Computing ==<br />
<br />
The Q2 report of the OWASP Security Spending Benchmarks Project is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/f/f0/OWASP_SSB_Q2_Project_Report.pdf PDF Download]]<br />
<br />
There are a number of key findings in the Q2 09 study:<br />
<br />
* Software-as-a-Service is in much greater use than Infrastructure-as-a-Service or Platform-as-a-Service. Over half of respondents make moderate or significant use of SaaS. Less than a quarter of all respondents make any use of either IaaS or PaaS.<br />
<br />
* Security spending does not change significantly as a result of cloud computing. Respondents did not report significant spending changes in the areas of network security, third party security reviews, security personnel, or identity management.<br />
<br />
* Organizations are not doing their homework when it comes to cloud security. When engaging a cloud partner, only half of organizations inquire about common security-related issues, and only a third require documentation of security measures in place.<br />
<br />
* The risk of an undetected data breach is the greatest concern with using cloud computing, closely followed by the risk of a public data breach.<br />
<br />
* Compliance and standards requirements related to cloud computing are not well understood. Respondents report having the greatest understanding of PCI requirements relating to cloud computing and the least understanding of HIPAA cloud requirements.<br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The Q1 2009 report of the OWASP Security Spending Benchmarks Project is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the Q1 09 study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-June 10th (EXTENDED): Collect survey responses through partner network.<br /><br />
4. June 10th-June 20th: Analyze results and produce draft report.<br /><br />
5. June 20th - June 25th: Get partner feedback on draft and make edits.<br /><br />
6. June 30th: Final report published<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(DONE)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]<br />
<br />
Network World [http://www.networkworld.com/news/2009/032609-survey-gauges-web-application-security.html Survey Gauges Web Application Security Spending]<br />
<br />
The IT Chronicle [http://www.theitchronicle.com/content/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
The Industry Standard [http://www.thestandard.com/news/2009/03/26/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO.com [http://www.cio.com/article/486881/Survey_Gauges_Web_Application_Security_Spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO Espana [http://www.idg.es/cio/Mas-de-un-25_por_ciento-de-las-empresas-elevara-su-gasto-en-seguridad-de-aplicaciones-Web/doc78597-seguridad.htm Más de un 25% de las empresas elevará su gasto en seguridad de aplicaciones Web]<br />
<br />
Information Week [http://www.informationweek.com/blog/main/archives/2009/03/firms_taking_we.html Firms Taking Web App Security (More) Seriously]<br />
<br />
Search Security [http://securitywireweekly.blogs.techtarget.com/2009/03/25/owasp-security-benchmark-study-mobile-threats-real/ Podcast]<br />
<br />
Search Security [http://searchsecurity.techtarget.com/video/0,297151,sid14_gci1352074,00.html Video Interview with Boaz Gelbord]<br />
<br />
CIO India [http://www.cio.in/news/viewArticle/ARTICLEID=5931602 Web Apps Security Spending Rising]<br />
<br />
Information Security Magazine [http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1352162,00.html Web browsers remain vulnerable to user mistakes]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''boaz.gelbord AT owasp.org''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:CSI.jpg | 200px]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:The-open-group.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=File:OWASP_SSB_Q2_Project_Report.pdf&diff=65025File:OWASP SSB Q2 Project Report.pdf2009-06-30T04:40:11Z<p>Bgelbord: This is the Q2 report of the OWASP Security Spending Benchmarks Project with a focus on cloud computing.</p>
<hr />
<div>This is the Q2 report of the OWASP Security Spending Benchmarks Project with a focus on cloud computing.</div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=65024Category:OWASP Security Spending Benchmarks2009-06-30T04:38:01Z<p>Bgelbord: Added Q2 report</p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
== Q2 Report Published - Focus on Cloud Computing ==<br />
<br />
The Q2 report of the OWASP Security Spending Benchmarks Project is now available. It can be found at the following link:<br />
<br />
There are a number of key findings in the Q2 09 study:<br />
<br />
* Software-as-a-Service is in much greater use than Infrastructure-as-a-Service or Platform-as-a-Service. Over half of respondents make moderate or significant use of SaaS. Less than a quarter of all respondents make any use of either IaaS or PaaS.<br />
<br />
* Security spending does not change significantly as a result of cloud computing. Respondents did not report significant spending changes in the areas of network security, third party security reviews, security personnel, or identity management.<br />
<br />
* Organizations are not doing their homework when it comes to cloud security. When engaging a cloud partner, only half of organizations inquire about common security-related issues, and only a third require documentation of security measures in place.<br />
<br />
* The risk of an undetected data breach is the greatest concern with using cloud computing, closely followed by the risk of a public data breach.<br />
<br />
* Compliance and standards requirements related to cloud computing are not well understood. Respondents report having the greatest understanding of PCI requirements relating to cloud computing and the least understanding of HIPAA cloud requirements.<br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The Q1 2009 report of the OWASP Security Spending Benchmarks Project is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the Q1 09 study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-June 10th (EXTENDED): Collect survey responses through partner network.<br /><br />
4. June 10th-June 20th: Analyze results and produce draft report.<br /><br />
5. June 20th - June 25th: Get partner feedback on draft and make edits.<br /><br />
6. June 30th: Final report published<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(DONE)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]<br />
<br />
Network World [http://www.networkworld.com/news/2009/032609-survey-gauges-web-application-security.html Survey Gauges Web Application Security Spending]<br />
<br />
The IT Chronicle [http://www.theitchronicle.com/content/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
The Industry Standard [http://www.thestandard.com/news/2009/03/26/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO.com [http://www.cio.com/article/486881/Survey_Gauges_Web_Application_Security_Spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO Espana [http://www.idg.es/cio/Mas-de-un-25_por_ciento-de-las-empresas-elevara-su-gasto-en-seguridad-de-aplicaciones-Web/doc78597-seguridad.htm Más de un 25% de las empresas elevará su gasto en seguridad de aplicaciones Web]<br />
<br />
Information Week [http://www.informationweek.com/blog/main/archives/2009/03/firms_taking_we.html Firms Taking Web App Security (More) Seriously]<br />
<br />
Search Security [http://securitywireweekly.blogs.techtarget.com/2009/03/25/owasp-security-benchmark-study-mobile-threats-real/ Podcast]<br />
<br />
Search Security [http://searchsecurity.techtarget.com/video/0,297151,sid14_gci1352074,00.html Video Interview with Boaz Gelbord]<br />
<br />
CIO India [http://www.cio.in/news/viewArticle/ARTICLEID=5931602 Web Apps Security Spending Rising]<br />
<br />
Information Security Magazine [http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1352162,00.html Web browsers remain vulnerable to user mistakes]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''boaz.gelbord AT owasp.org''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:CSI.jpg | 200px]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:The-open-group.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Podcast_News&diff=64092Podcast News2009-06-11T22:08:09Z<p>Bgelbord: removal of duplicates</p>
<hr />
<div>'''[[Podcast_News|OWASP Podcast News]]'''<br />
<br />
OWASP NEWS April 2009<br/><br />
<br />
==OWASP General News==<br />
<br><br />
Global Committees progress<br />
https://www.owasp.org/index.php/Global_Committee_Pages<br />
<br><br />
What should the next OWASP Top 10 contain? http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project<br />
<br><br />
Upcoming Conferences<br />
http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference<br />
<br><br />
Season of Code 2009<br />
http://www.owasp.org/index.php/OWASP_Season_of_Code_2009<br />
<br><br />
Board Mins.<br />
http://www.owasp.org/index.php/OWASP_Board_Meetings<br />
<br />
==OWASP AppSec News==<br />
;5/1 Mythbusting – Secure Code is Less Expensive to Develop http://jeremiahgrossman.blogspot.com/2009/05/mythbusting-secure-code-is-less.html<br />
;5/1 Getting started with the PHPIS Intrusion Detection System http://www.h-online.com/security/Getting-started-with-the-PHPIDS-intrusion-detection-system--/features/113163<br />
;5/4 http://feedproxy.google.com/~r/mcgovern/~3/k9BoNtavPxQ/conference-is-about-community.html<br />
;5/5 http://nickcoblentz.blogspot.com/2009/05/light-weight-code-review-as-you-program.html<br />
<br />
;5/4 Using Denial of Service for Hacking http://ha.ckers.org/blog/20090504/using-denial-of-service-for-hacking/<br />
;5/4 OWASP ISWG: Struts 2/WebWork Gap Analysis http://nickcoblentz.blogspot.com/2009/05/owasp-iswg-struts-2webwork-gap-analysis.html http://nickcoblentz.blogspot.com/2009/05/struts-2-security-addons-code.html<br />
;5/4 Best Practice: Consider External Data Feeds Untrusted http://www.veracode.com/blog/2009/05/best-practice-consider-external-data-feeds-untrusted/<br />
;5/4 Protection against Forceful Browsing http://coding-insecurity.blogspot.com/2009/05/protection-against-forceful-browsing.html<br />
;5/5 Moth - A new release from the w3af project http://www.mail-archive.com/w3af-develop@lists.sourceforge.net/msg00369.html http://security-sh3ll.blogspot.com/2009/05/moth.html<br />
;5/5 Botnets took control of 12 million new IPs this year http://www.wired.com/threatlevel/2009/05/botnets-took-control-of-12-million-new-ips-this-year/<br />
;5/6 Enter Formjacking http://i8jesus.com/?p=48<br />
;5/8 8 Reasons Why Website Vulnerabilities Are Not Fixed http://jeremiahgrossman.blogspot.com/2009/05/8-reasons-why-website-vulnerabilities.html<br />
;5/8 SQL Injection Lessons from X-Force Emergency Response Service Investigations http://blogs.iss.net/archive/sql-injection-ers.html<br />
;5/12 Delay of FTC Red Flag Rule http://www.bankinfosecurity.com/articles.php?art_id=1457<br />
;5/13 Botnet is Captured and Studied http://gadgetwise.blogs.nytimes.com/2009/05/13/botnet-is-captured-and-studied-and-the-findings-arent-good/<br />
;5/13 Effective Account Lockout http://coding-insecurity.blogspot.com/2009/05/effective-account-lockout.html<br />
;5/13 Sincerest Form of Flattery http://securitylabs.websense.com/content/Blogs/3397.aspx<br />
<br />
<br />
;5/15 Does Tokenization Solve Anything? http://www.secureconsulting.net/2009/05/does_tokenization_solve_anythi.html<br />
;5/16 Daily Dave and crew talk browser-based client side crypto http://seclists.org/dailydave/2009/q2/0093.html<br />
;5/19 It’s No Secret. Measuring the Security and Reliability of Authentication via ‘Secret’ Questions http://newschoolsecurity.com/2009/05/179/<br />
;5/19 Some Thoughts on the OWASP Top Ten http://blog.ncircle.com/blogs/vert/archives/2009/05/some_thoughts_on_the_owasp_top.html<br />
;5/19 Making Secure Code Easier http://blogs.msdn.com/sdl/archive/2009/05/19/making-secure-code-easier.aspx<br />
;5/19 Java deserialization issues http://blog.cr0.org/2009/05/write-once-own-everyone.html<br />
;5/20 Parameter Pollution http://www.h-online.com/security/New-type-of-attack-on-web-applications-Parameter-Pollution--/news/113333/from/rss<br />
;5/28 Don Ankney LayerOne XSS Presentation http://hackerco.de/2009/05/layerone-presentation-video.html<br />
;5/28 Logging in the Age of Web Services http://1raindrop.typepad.com/1_raindrop/2009/05/logging-in-the-age-of-web-services.html</div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=64048Category:OWASP Security Spending Benchmarks2009-06-10T20:17:56Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The Q1 2009 report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the Q1 09 study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Planned Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-June 10th (EXTENDED): Collect survey responses through partner network.<br /><br />
4. June 10th-June 20th: Analyze results and produce draft report.<br /><br />
5. June 20th - June 25th: Get partner feedback on draft and make edits.<br /><br />
6. June 25th: Publish final report<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(DONE)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]<br />
<br />
Network World [http://www.networkworld.com/news/2009/032609-survey-gauges-web-application-security.html Survey Gauges Web Application Security Spending]<br />
<br />
The IT Chronicle [http://www.theitchronicle.com/content/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
The Industry Standard [http://www.thestandard.com/news/2009/03/26/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO.com [http://www.cio.com/article/486881/Survey_Gauges_Web_Application_Security_Spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO Espana [http://www.idg.es/cio/Mas-de-un-25_por_ciento-de-las-empresas-elevara-su-gasto-en-seguridad-de-aplicaciones-Web/doc78597-seguridad.htm Más de un 25% de las empresas elevará su gasto en seguridad de aplicaciones Web]<br />
<br />
Information Week [http://www.informationweek.com/blog/main/archives/2009/03/firms_taking_we.html Firms Taking Web App Security (More) Seriously]<br />
<br />
Search Security [http://securitywireweekly.blogs.techtarget.com/2009/03/25/owasp-security-benchmark-study-mobile-threats-real/ Podcast]<br />
<br />
Search Security [http://searchsecurity.techtarget.com/video/0,297151,sid14_gci1352074,00.html Video Interview with Boaz Gelbord]<br />
<br />
CIO India [http://www.cio.in/news/viewArticle/ARTICLEID=5931602 Web Apps Security Spending Rising]<br />
<br />
Information Security Magazine [http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1352162,00.html Web browsers remain vulnerable to user mistakes]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''boaz.gelbord AT owasp.org''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:CSI.jpg | 200px]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:The-open-group.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=64047Category:OWASP Security Spending Benchmarks2009-06-10T20:10:32Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The Q1 2009 report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the Q1 09 study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Planned Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-June 10th (EXTENDED): Collect survey responses through partner network.<br /><br />
4. June 10th-June 20th: Analyze results and produce draft report.<br /><br />
5. June 20th - June 25th: Get partner feedback on draft and make edits.<br /><br />
6. June 25th: Publish final report<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(DONE)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]<br />
<br />
Network World [http://www.networkworld.com/news/2009/032609-survey-gauges-web-application-security.html Survey Gauges Web Application Security Spending]<br />
<br />
The IT Chronicle [http://www.theitchronicle.com/content/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
The Industry Standard [http://www.thestandard.com/news/2009/03/26/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO.com [http://www.cio.com/article/486881/Survey_Gauges_Web_Application_Security_Spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO Espana [http://www.idg.es/cio/Mas-de-un-25_por_ciento-de-las-empresas-elevara-su-gasto-en-seguridad-de-aplicaciones-Web/doc78597-seguridad.htm Más de un 25% de las empresas elevará su gasto en seguridad de aplicaciones Web]<br />
<br />
Information Week [http://www.informationweek.com/blog/main/archives/2009/03/firms_taking_we.html Firms Taking Web App Security (More) Seriously]<br />
<br />
Search Security [http://securitywireweekly.blogs.techtarget.com/2009/03/25/owasp-security-benchmark-study-mobile-threats-real/ Podcast]<br />
<br />
Search Security [http://searchsecurity.techtarget.com/video/0,297151,sid14_gci1352074,00.html Video Interview with Boaz Gelbord]<br />
<br />
CIO India [http://www.cio.in/news/viewArticle/ARTICLEID=5931602 Web Apps Security Spending Rising]<br />
<br />
Information Security Magazine [http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1352162,00.html Web browsers remain vulnerable to user mistakes]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''boaz.gelbord AT owasp.org''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:CSI.jpg]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:The-open-group.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=File:CSI.jpg&diff=64044File:CSI.jpg2009-06-10T20:08:58Z<p>Bgelbord: CSI logo</p>
<hr />
<div>CSI logo</div>Bgelbordhttps://wiki.owasp.org/index.php?title=Podcast_News&diff=63704Podcast News2009-06-07T00:04:02Z<p>Bgelbord: added some more news stories</p>
<hr />
<div>'''[[Podcast_News|OWASP Podcast News]]'''<br />
<br />
OWASP NEWS April 2009<br/><br />
<br />
==OWASP General News==<br />
<br><br />
Global Committees progress<br />
https://www.owasp.org/index.php/Global_Committee_Pages<br />
<br><br />
What should the next OWASP Top 10 contain? http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project<br />
<br><br />
Upcoming Conferences<br />
http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference<br />
<br><br />
Season of Code 2009<br />
http://www.owasp.org/index.php/OWASP_Season_of_Code_2009<br />
<br><br />
Board Mins.<br />
http://www.owasp.org/index.php/OWASP_Board_Meetings<br />
<br />
==OWASP AppSec News==<br />
;5/4 http://nickcoblentz.blogspot.com/2009/05/owasp-iswg-struts-2webwork-gap-analysis.html<br />
;5/4 http://feedproxy.google.com/~r/mcgovern/~3/k9BoNtavPxQ/conference-is-about-community.html<br />
;5/5 http://coding-insecurity.blogspot.com/2009/05/protection-against-forceful-browsing.html<br />
;5/5 http://nickcoblentz.blogspot.com/2009/05/light-weight-code-review-as-you-program.html<br />
;5/16 Daily Dave and crew talk browser-based client side crypto http://seclists.org/dailydave/2009/q2/0093.html<br />
<br />
;5/1 Mythbusting – Secure Code is Less Expensive to Develop http://jeremiahgrossman.blogspot.com/2009/05/mythbusting-secure-code-is-less.html<br />
;5/5 Botnets took control of 12 million new IPs this year http://www.wired.com/threatlevel/2009/05/botnets-took-control-of-12-million-new-ips-this-year/<br />
;5/13 Botnet is Captured and Studied http://gadgetwise.blogs.nytimes.com/2009/05/13/botnet-is-captured-and-studied-and-the-findings-arent-good/<br />
;5/12 Delay of FTC Red Flag Rule http://www.bankinfosecurity.com/articles.php?art_id=1457<br />
;5/8 8 Reasons Why Website Vulnerabilities Are Not Fixed http://jeremiahgrossman.blogspot.com/2009/05/8-reasons-why-website-vulnerabilities.html</div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=63592Category:OWASP Security Spending Benchmarks2009-06-04T15:14:13Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The Q1 2009 report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the Q1 09 study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Planned Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-June 10th (EXTENDED): Collect survey responses through partner network.<br /><br />
4. June 10th-June 20th: Analyze results and produce draft report.<br /><br />
5. June 20th - June 25th: Get partner feedback on draft and make edits.<br /><br />
6. June 25th: Publish final report<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(DONE)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]<br />
<br />
Network World [http://www.networkworld.com/news/2009/032609-survey-gauges-web-application-security.html Survey Gauges Web Application Security Spending]<br />
<br />
The IT Chronicle [http://www.theitchronicle.com/content/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
The Industry Standard [http://www.thestandard.com/news/2009/03/26/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO.com [http://www.cio.com/article/486881/Survey_Gauges_Web_Application_Security_Spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO Espana [http://www.idg.es/cio/Mas-de-un-25_por_ciento-de-las-empresas-elevara-su-gasto-en-seguridad-de-aplicaciones-Web/doc78597-seguridad.htm Más de un 25% de las empresas elevará su gasto en seguridad de aplicaciones Web]<br />
<br />
Information Week [http://www.informationweek.com/blog/main/archives/2009/03/firms_taking_we.html Firms Taking Web App Security (More) Seriously]<br />
<br />
Search Security [http://securitywireweekly.blogs.techtarget.com/2009/03/25/owasp-security-benchmark-study-mobile-threats-real/ Podcast]<br />
<br />
Search Security [http://searchsecurity.techtarget.com/video/0,297151,sid14_gci1352074,00.html Video Interview with Boaz Gelbord]<br />
<br />
CIO India [http://www.cio.in/news/viewArticle/ARTICLEID=5931602 Web Apps Security Spending Rising]<br />
<br />
Information Security Magazine [http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1352162,00.html Web browsers remain vulnerable to user mistakes]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''boaz.gelbord AT owasp.org''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:The-open-group.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=62927Category:OWASP Security Spending Benchmarks2009-05-28T19:22:12Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The Q1 2009 report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the Q1 09 study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Planned Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-May 29th (EXTENDED): Collect survey responses through partner network.<br /><br />
4. June 1st-June 10th: Analyze results and produce draft report.<br /><br />
5. June 10th - June 15th: Get partner feedback on draft and make edits.<br /><br />
6. June 15th: Publish final report<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(DONE)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]<br />
<br />
Network World [http://www.networkworld.com/news/2009/032609-survey-gauges-web-application-security.html Survey Gauges Web Application Security Spending]<br />
<br />
The IT Chronicle [http://www.theitchronicle.com/content/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
The Industry Standard [http://www.thestandard.com/news/2009/03/26/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO.com [http://www.cio.com/article/486881/Survey_Gauges_Web_Application_Security_Spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO Espana [http://www.idg.es/cio/Mas-de-un-25_por_ciento-de-las-empresas-elevara-su-gasto-en-seguridad-de-aplicaciones-Web/doc78597-seguridad.htm Más de un 25% de las empresas elevará su gasto en seguridad de aplicaciones Web]<br />
<br />
Information Week [http://www.informationweek.com/blog/main/archives/2009/03/firms_taking_we.html Firms Taking Web App Security (More) Seriously]<br />
<br />
Search Security [http://securitywireweekly.blogs.techtarget.com/2009/03/25/owasp-security-benchmark-study-mobile-threats-real/ Podcast]<br />
<br />
Search Security [http://searchsecurity.techtarget.com/video/0,297151,sid14_gci1352074,00.html Video Interview with Boaz Gelbord]<br />
<br />
CIO India [http://www.cio.in/news/viewArticle/ARTICLEID=5931602 Web Apps Security Spending Rising]<br />
<br />
Information Security Magazine [http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1352162,00.html Web browsers remain vulnerable to user mistakes]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''boaz.gelbord AT owasp.org''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:The-open-group.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=File:The-open-group.gif&diff=62926File:The-open-group.gif2009-05-28T19:20:53Z<p>Bgelbord: </p>
<hr />
<div></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=62924Category:OWASP Security Spending Benchmarks2009-05-28T18:21:51Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The Q1 2009 report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the Q1 09 study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Planned Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-May 29th (EXTENDED): Collect survey responses through partner network.<br /><br />
4. June 1st-June 10th: Analyze results and produce draft report.<br /><br />
5. June 10th - June 15th: Get partner feedback on draft and make edits.<br /><br />
6. June 15th: Publish final report<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(DONE)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]<br />
<br />
Network World [http://www.networkworld.com/news/2009/032609-survey-gauges-web-application-security.html Survey Gauges Web Application Security Spending]<br />
<br />
The IT Chronicle [http://www.theitchronicle.com/content/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
The Industry Standard [http://www.thestandard.com/news/2009/03/26/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO.com [http://www.cio.com/article/486881/Survey_Gauges_Web_Application_Security_Spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO Espana [http://www.idg.es/cio/Mas-de-un-25_por_ciento-de-las-empresas-elevara-su-gasto-en-seguridad-de-aplicaciones-Web/doc78597-seguridad.htm Más de un 25% de las empresas elevará su gasto en seguridad de aplicaciones Web]<br />
<br />
Information Week [http://www.informationweek.com/blog/main/archives/2009/03/firms_taking_we.html Firms Taking Web App Security (More) Seriously]<br />
<br />
Search Security [http://securitywireweekly.blogs.techtarget.com/2009/03/25/owasp-security-benchmark-study-mobile-threats-real/ Podcast]<br />
<br />
Search Security [http://searchsecurity.techtarget.com/video/0,297151,sid14_gci1352074,00.html Video Interview with Boaz Gelbord]<br />
<br />
CIO India [http://www.cio.in/news/viewArticle/ARTICLEID=5931602 Web Apps Security Spending Rising]<br />
<br />
Information Security Magazine [http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1352162,00.html Web browsers remain vulnerable to user mistakes]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''boaz.gelbord AT owasp.org''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=62013Category:OWASP Security Spending Benchmarks2009-05-26T17:58:28Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The first report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Planned Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-May 29th (EXTENDED): Collect survey responses through partner network.<br /><br />
4. June 1st-June 10th: Analyze results and produce draft report.<br /><br />
5. June 10th - June 15th: Get partner feedback on draft and make edits.<br /><br />
6. June 15th: Publish final report<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(CURRENT)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]<br />
<br />
Network World [http://www.networkworld.com/news/2009/032609-survey-gauges-web-application-security.html Survey Gauges Web Application Security Spending]<br />
<br />
The IT Chronicle [http://www.theitchronicle.com/content/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
The Industry Standard [http://www.thestandard.com/news/2009/03/26/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO.com [http://www.cio.com/article/486881/Survey_Gauges_Web_Application_Security_Spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO Espana [http://www.idg.es/cio/Mas-de-un-25_por_ciento-de-las-empresas-elevara-su-gasto-en-seguridad-de-aplicaciones-Web/doc78597-seguridad.htm Más de un 25% de las empresas elevará su gasto en seguridad de aplicaciones Web]<br />
<br />
Information Week [http://www.informationweek.com/blog/main/archives/2009/03/firms_taking_we.html Firms Taking Web App Security (More) Seriously]<br />
<br />
Search Security [http://securitywireweekly.blogs.techtarget.com/2009/03/25/owasp-security-benchmark-study-mobile-threats-real/ Podcast]<br />
<br />
Search Security [http://searchsecurity.techtarget.com/video/0,297151,sid14_gci1352074,00.html Video Interview with Boaz Gelbord]<br />
<br />
CIO India [http://www.cio.in/news/viewArticle/ARTICLEID=5931602 Web Apps Security Spending Rising]<br />
<br />
Information Security Magazine [http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1352162,00.html Web browsers remain vulnerable to user mistakes]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''boaz.gelbord AT owasp.org''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=58505Category:OWASP Security Spending Benchmarks2009-04-08T14:49:38Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The first report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Planned Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-May 15th: Collect survey responses through partner network.<br /><br />
4. May 15th-May 31st: Analyze results and produce draft report.<br /><br />
5. June 1st - June 15th: Get partner feedback on draft and make edits.<br /><br />
6. June 15th: Publish final report<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(CURRENT)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]<br />
<br />
Network World [http://www.networkworld.com/news/2009/032609-survey-gauges-web-application-security.html Survey Gauges Web Application Security Spending]<br />
<br />
The IT Chronicle [http://www.theitchronicle.com/content/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
The Industry Standard [http://www.thestandard.com/news/2009/03/26/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO.com [http://www.cio.com/article/486881/Survey_Gauges_Web_Application_Security_Spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO Espana [http://www.idg.es/cio/Mas-de-un-25_por_ciento-de-las-empresas-elevara-su-gasto-en-seguridad-de-aplicaciones-Web/doc78597-seguridad.htm Más de un 25% de las empresas elevará su gasto en seguridad de aplicaciones Web]<br />
<br />
Information Week [http://www.informationweek.com/blog/main/archives/2009/03/firms_taking_we.html Firms Taking Web App Security (More) Seriously]<br />
<br />
Search Security [http://securitywireweekly.blogs.techtarget.com/2009/03/25/owasp-security-benchmark-study-mobile-threats-real/ Podcast]<br />
<br />
Search Security [http://searchsecurity.techtarget.com/video/0,297151,sid14_gci1352074,00.html Video Interview with Boaz Gelbord]<br />
<br />
CIO India [http://www.cio.in/news/viewArticle/ARTICLEID=5931602 Web Apps Security Spending Rising]<br />
<br />
Information Security Magazine [http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1352162,00.html Web browsers remain vulnerable to user mistakes]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''boaz.gelbord AT owasp.org''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=57876Category:OWASP Security Spending Benchmarks2009-04-02T17:05:02Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The first report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Planned Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-May 15th: Collect survey responses through partner network.<br /><br />
4. May 15th-May 31st: Analyze results and produce draft report.<br /><br />
5. June 1st - June 15th: Get partner feedback on draft and make edits.<br /><br />
6. June 15th: Publish final report<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(CURRENT)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]<br />
<br />
Network World [http://www.networkworld.com/news/2009/032609-survey-gauges-web-application-security.html Survey Gauges Web Application Security Spending]<br />
<br />
The IT Chronicle [http://www.theitchronicle.com/content/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
The Industry Standard [http://www.thestandard.com/news/2009/03/26/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO.com [http://www.cio.com/article/486881/Survey_Gauges_Web_Application_Security_Spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO Espana [http://www.idg.es/cio/Mas-de-un-25_por_ciento-de-las-empresas-elevara-su-gasto-en-seguridad-de-aplicaciones-Web/doc78597-seguridad.htm Más de un 25% de las empresas elevará su gasto en seguridad de aplicaciones Web]<br />
<br />
Information Week [http://www.informationweek.com/blog/main/archives/2009/03/firms_taking_we.html Firms Taking Web App Security (More) Seriously]<br />
<br />
Search Security [http://securitywireweekly.blogs.techtarget.com/2009/03/25/owasp-security-benchmark-study-mobile-threats-real/ Podcast]<br />
<br />
Search Security [http://searchsecurity.techtarget.com/video/0,297151,sid14_gci1352074,00.html Video Interview with Boaz Gelbord]<br />
<br />
CIO India [http://www.cio.in/news/viewArticle/ARTICLEID=5931602 Web Apps Security Spending Rising]<br />
<br />
Information Security Magazine [http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1352162,00.html Web browsers remain vulnerable to user mistakes]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=57607Category:OWASP Security Spending Benchmarks2009-03-30T15:42:31Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The first report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Planned Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-May 15th: Collect survey responses through partner network.<br /><br />
4. May 15th-May 31st: Analyze results and produce draft report.<br /><br />
5. June 1st - June 15th: Get partner feedback on draft and make edits.<br /><br />
6. June 15th: Publish final report<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(CURRENT)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]<br />
<br />
Network World [http://www.networkworld.com/news/2009/032609-survey-gauges-web-application-security.html Survey Gauges Web Application Security Spending]<br />
<br />
The IT Chronicle [http://www.theitchronicle.com/content/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
The Industry Standard [http://www.thestandard.com/news/2009/03/26/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO.com [http://www.cio.com/article/486881/Survey_Gauges_Web_Application_Security_Spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO Espana [http://www.idg.es/cio/Mas-de-un-25_por_ciento-de-las-empresas-elevara-su-gasto-en-seguridad-de-aplicaciones-Web/doc78597-seguridad.htm Más de un 25% de las empresas elevará su gasto en seguridad de aplicaciones Web]<br />
<br />
Information Week [http://www.informationweek.com/blog/main/archives/2009/03/firms_taking_we.html Firms Taking Web App Security (More) Seriously]<br />
<br />
Search Security [http://securitywireweekly.blogs.techtarget.com/2009/03/25/owasp-security-benchmark-study-mobile-threats-real/ Podcast]<br />
<br />
Search Security [http://searchsecurity.techtarget.com/video/0,297151,sid14_gci1352074,00.html Video Interview with Boaz Gelbord]<br />
<br />
CIO India [http://www.cio.in/news/viewArticle/ARTICLEID=5931602 Web Apps Security Spending Rising]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=57487Category:OWASP Security Spending Benchmarks2009-03-27T19:47:26Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The first report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Planned Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-May 15th: Collect survey responses through partner network.<br /><br />
4. May 15th-May 31st: Analyze results and produce draft report.<br /><br />
5. June 1st - June 15th: Get partner feedback on draft and make edits.<br /><br />
6. June 15th: Publish final report<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(CURRENT)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]<br />
<br />
Network World [http://www.networkworld.com/news/2009/032609-survey-gauges-web-application-security.html Survey Gauges Web Application Security Spending]<br />
<br />
The IT Chronicle [http://www.theitchronicle.com/content/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
The Industry Standard [http://www.thestandard.com/news/2009/03/26/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO.com [http://www.cio.com/article/486881/Survey_Gauges_Web_Application_Security_Spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO Espana [http://www.idg.es/cio/Mas-de-un-25_por_ciento-de-las-empresas-elevara-su-gasto-en-seguridad-de-aplicaciones-Web/doc78597-seguridad.htm Más de un 25% de las empresas elevará su gasto en seguridad de aplicaciones Web]<br />
<br />
Information Week [http://www.informationweek.com/blog/main/archives/2009/03/firms_taking_we.html Firms Taking Web App Security (More) Seriously]<br />
<br />
Search Security [http://securitywireweekly.blogs.techtarget.com/2009/03/25/owasp-security-benchmark-study-mobile-threats-real/ Podcast]<br />
<br />
Search Security [http://searchsecurity.techtarget.com/video/0,297151,sid14_gci1352074,00.html Video Interview with Boaz Gelbord]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=57455Category:OWASP Security Spending Benchmarks2009-03-27T15:43:15Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The first report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Planned Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-May 15th: Collect survey responses through partner network.<br /><br />
4. May 15th-May 31st: Analyze results and produce draft report.<br /><br />
5. June 1st - June 15th: Get partner feedback on draft and make edits.<br /><br />
6. June 15th: Publish final report<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(CURRENT)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]<br />
<br />
Network World [http://www.networkworld.com/news/2009/032609-survey-gauges-web-application-security.html Survey Gauges Web Application Security Spending]<br />
<br />
The IT Chronicle [http://www.theitchronicle.com/content/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
The Industry Standard [http://www.thestandard.com/news/2009/03/26/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO.com [http://www.cio.com/article/486881/Survey_Gauges_Web_Application_Security_Spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO Espana [http://www.idg.es/cio/Mas-de-un-25_por_ciento-de-las-empresas-elevara-su-gasto-en-seguridad-de-aplicaciones-Web/doc78597-seguridad.htm Más de un 25% de las empresas elevará su gasto en seguridad de aplicaciones Web]<br />
<br />
Information Week [http://www.informationweek.com/blog/main/archives/2009/03/firms_taking_we.html Firms Taking Web App Security (More) Seriously]<br />
<br />
Search Security [http://securitywireweekly.blogs.techtarget.com/2009/03/25/owasp-security-benchmark-study-mobile-threats-real/ Podcast]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=57425Category:OWASP Security Spending Benchmarks2009-03-26T21:16:54Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The first report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Planned Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-May 15th: Collect survey responses through partner network.<br /><br />
4. May 15th-May 31st: Analyze results and produce draft report.<br /><br />
5. June 1st - June 15th: Get partner feedback on draft and make edits.<br /><br />
6. June 15th: Publish final report<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(CURRENT)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]<br />
<br />
Network World [http://www.networkworld.com/news/2009/032609-survey-gauges-web-application-security.html Survey Gauges Web Application Security Spending]<br />
<br />
The IT Chronicle [http://www.theitchronicle.com/content/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
The Industry Standard [http://www.thestandard.com/news/2009/03/26/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
CIO.com [http://www.cio.com/article/486881/Survey_Gauges_Web_Application_Security_Spending Survey Gauges Web Application Security Spending]<br />
<br />
Search Security [http://securitywireweekly.blogs.techtarget.com/2009/03/25/owasp-security-benchmark-study-mobile-threats-real/ Podcast]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=57423Category:OWASP Security Spending Benchmarks2009-03-26T19:09:08Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The first report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Planned Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-May 15th: Collect survey responses through partner network.<br /><br />
4. May 15th-May 31st: Analyze results and produce draft report.<br /><br />
5. June 1st - June 15th: Get partner feedback on draft and make edits.<br /><br />
6. June 15th: Publish final report<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(CURRENT)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]<br />
<br />
Network World [http://www.networkworld.com/news/2009/032609-survey-gauges-web-application-security.html Survey Gauges Web Application Security Spending]<br />
<br />
The IT Chronicle [http://www.theitchronicle.com/content/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
The Industry Standard [http://www.thestandard.com/news/2009/03/26/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
Search Security [http://securitywireweekly.blogs.techtarget.com/2009/03/25/owasp-security-benchmark-study-mobile-threats-real/ Podcast]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=57422Category:OWASP Security Spending Benchmarks2009-03-26T18:32:38Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The first report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Planned Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-May 15th: Collect survey responses through partner network.<br /><br />
4. May 15th-May 31st: Analyze results and produce draft report.<br /><br />
5. June 1st - June 15th: Get partner feedback on draft and make edits.<br /><br />
6. June 15th: Publish final report<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(CURRENT)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]<br />
<br />
Network World [http://www.networkworld.com/news/2009/032609-survey-gauges-web-application-security.html Survey Gauges Web Application Security Spending]<br />
<br />
The IT Chronicle [http://www.theitchronicle.com/content/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
The Industry Standard [http://www.thestandard.com/news/2009/03/26/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=57416Category:OWASP Security Spending Benchmarks2009-03-26T17:37:28Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The first report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Planned Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-May 15th: Collect survey responses through partner network.<br /><br />
4. May 15th-May 31st: Analyze results and produce draft report.<br /><br />
5. June 1st - June 15th: Get partner feedback on draft and make edits.<br /><br />
6. June 15th: Publish final report<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(CURRENT)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]<br />
<br />
Network World [http://www.networkworld.com/news/2009/032609-survey-gauges-web-application-security.html Survey Gauges Web Application Security Spending]<br />
<br />
The IT Chronicle [http://www.theitchronicle.com/content/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=57415Category:OWASP Security Spending Benchmarks2009-03-26T17:34:35Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The first report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Planned Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-May 15th: Collect survey responses through partner network.<br /><br />
4. May 15th-May 31st: Analyze results and produce draft report.<br /><br />
5. June 1st - June 15th: Get partner feedback on draft and make edits.<br /><br />
6. June 15th: Publish final report<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(CURRENT)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=57400Category:OWASP Security Spending Benchmarks2009-03-26T15:05:58Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The first report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Planned Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-May 15th: Collect survey responses through partner network.<br /><br />
4. May 15th-May 31st: Analyze results and produce draft report.<br /><br />
5. June 1st - June 15th: Get partner feedback on draft and make edits.<br /><br />
6. June 15th: Publish final report<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(CURRENT)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]<br />
<br />
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]<br />
<br />
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]<br />
<br />
Search Security (Germany): [http://www.searchsecurity.de/themenbereiche/applikationssicherheit/sichere-software-entwicklung/articles/177103 Drittanbieter-Code-Review und geschulte Programmierer bevorzugt]<br />
<br />
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=57398Category:OWASP Security Spending Benchmarks2009-03-26T14:17:45Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The first report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Planned Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-May 15th: Collect survey responses through partner network.<br /><br />
4. May 15th-May 31st: Analyze results and produce draft report.<br /><br />
5. June 1st - June 15th: Get partner feedback on draft and make edits.<br /><br />
6. June 15th: Publish final report<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(CURRENT)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage of OWASP SSB Project ==<br />
<br />
[http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ SC Magazine] "OWASP Security Spending Benchmarks Report Published"<br />
<br />
[http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Dark Reading] "Web Application Security Spending Relatively Unscathed by Poor Economy"<br />
<br />
[http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html Search Security] "More companies seek third-party code review, survey finds"<br />
<br />
[http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html PC World] "Survey Guages Web Application Security Spending"<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=57312Category:OWASP Security Spending Benchmarks2009-03-24T19:02:22Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The first report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Planned Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-May 15th: Collect survey responses through partner network.<br /><br />
4. May 15th-May 31st: Analyze results and produce draft report.<br /><br />
5. June 1st - June 15th: Get partner feedback on draft and make edits.<br /><br />
6. June 15th: Publish final report<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(CURRENT)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage ==<br />
<br />
[http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ SC Magazine] <br />
<br />
[http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Dark Reading]<br />
<br />
[http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html Search Security]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=57192Category:OWASP Security Spending Benchmarks2009-03-22T19:26:46Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The first report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Planned Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br /><br />
2. April 15-30: Formulate survey questions based on identified thematic priorities <br /><br />
3. May 1st-May 15th: Collect survey responses through partner network.<br /><br />
4. May 15th-May 31st: Analyze results and produce draft report.<br /><br />
5. June 1st - June 15th: Get partner feedback on draft and make edits.<br /><br />
6. June 15th: Publish final report<br /><br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(CURRENT)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage ==<br />
<br />
[http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ SC Magazine] <br />
<br />
[http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Dark Reading]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=57191Category:OWASP Security Spending Benchmarks2009-03-22T19:25:39Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The first report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
<br />
Planned Q2 Timeline:<br />
<br />
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br />
2. April 15-30: Formulate survey questions based on identified thematic priorities<br />
3. May 1st-May 15th: Collect survey responses through partner network.<br />
4. May 15th-May 31st: Analyze results and produce draft report.<br />
5. June 1st - June 15th: Get partner feedback on draft and make edits.<br />
6. June 15th: Publish final report<br />
<br />
Q1 Timeline:<br />
<br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(CURRENT)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== News Coverage ==<br />
<br />
[http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ SC Magazine] <br />
<br />
[http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Dark Reading]<br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=57003Category:OWASP Security Spending Benchmarks2009-03-19T14:33:44Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The first report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(CURRENT)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=56957Category:OWASP Security Spending Benchmarks2009-03-19T03:28:16Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
'''UPDATE: SURVEY RESULTS WILL BE PUBLISHED ON THURSDAY MARCH 19TH!'''<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The first report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(CURRENT)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=56956Category:OWASP Security Spending Benchmarks2009-03-19T03:26:21Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
'''UPDATE: SURVEY RESULTS WILL BE PUBLISHED ON THURSDAY MARCH 19TH!'''<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The first report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Survey Questions ==<br />
<br />
The full list of survey questions for the March 2009 report can be found at:<br />
<br />
[[https://www.owasp.org/images/7/79/Owasp_ssb_draft7.pdf PDF Download]]<br />
<br />
<br />
== Data Collection & Distribution ==<br />
<br />
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.<br />
<br />
<br />
== Project Status == <br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(CURRENT)<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=56955Category:OWASP Security Spending Benchmarks2009-03-19T03:23:46Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
'''UPDATE: SURVEY RESULTS WILL BE PUBLISHED ON THURSDAY MARCH 19TH!'''<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The first report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Survey Questions ==<br />
<br />
The full list of survey questions can be found at:<br />
<br />
[[https://www.owasp.org/images/7/79/Owasp_ssb_draft7.pdf PDF Download]]<br />
<br />
<br />
== Data Collection & Distribution ==<br />
<br />
We are utilizing the SurveyMonkey system to host the survey. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We are controlling survey access via username/password, as well as through a trusted network of contacts. All information collected will be made available in report (PDF, HTML) as well as raw (CSV, XML, etc.) form.<br />
<br />
<br />
== Project Status == <br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=56954Category:OWASP Security Spending Benchmarks2009-03-19T03:22:30Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
'''UPDATE: SURVEY RESULTS WILL BE PUBLISHED ON THURSDAY MARCH 19TH!'''<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The first report of the OWASP Security Spending Benchmarks Report is now available. It can be found at the following link:<br />
<br />
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].<br />
<br />
There are a number of key findings in the study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Survey Questions ==<br />
<br />
The full list of survey questions can be found at:<br />
<br />
[[https://www.owasp.org/images/7/79/Owasp_ssb_draft7.pdf PDF Download]]<br />
<br />
<br />
== Data Collection & Distribution ==<br />
<br />
We are utilizing the SurveyMonkey system to host the survey. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We are controlling survey access via username/password, as well as through a trusted network of contacts. All information collected will be made available in report (PDF, HTML) as well as raw (CSV, XML, etc.) form.<br />
<br />
<br />
== Project Status == <br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=File:OWASP_SSB_Project_Report_March_2009.pdf&diff=56953File:OWASP SSB Project Report March 2009.pdf2009-03-19T03:18:09Z<p>Bgelbord: </p>
<hr />
<div></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=56952Category:OWASP Security Spending Benchmarks2009-03-19T03:09:41Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
'''UPDATE: SURVEY RESULTS WILL BE PUBLISHED ON THURSDAY MARCH 19TH!'''<br />
== Security Spending Benchmarks Project Report March 2009 ==<br />
<br />
The first report of the OWASP Security Spending Benchmarks Report is now available.<br />
<br />
There are a number of key findings in the study:<br />
<br />
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.<br />
<br />
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.<br />
<br />
* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.<br />
<br />
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).<br />
<br />
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.<br />
<br />
== Raw Data ==<br />
<br />
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here]. <br />
<br />
== Inquiries ==<br />
<br />
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or are would like to inquire about contributing to the project.<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Survey Questions ==<br />
<br />
The full list of survey questions can be found at:<br />
<br />
[[https://www.owasp.org/images/7/79/Owasp_ssb_draft7.pdf PDF Download]]<br />
<br />
<br />
== Data Collection & Distribution ==<br />
<br />
We are utilizing the SurveyMonkey system to host the survey. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We are controlling survey access via username/password, as well as through a trusted network of contacts. All information collected will be made available in report (PDF, HTML) as well as raw (CSV, XML, etc.) form.<br />
<br />
<br />
== Project Status == <br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=56670Category:OWASP Security Spending Benchmarks2009-03-13T21:05:55Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
'''UPDATE: SURVEY RESULTS WILL BE PUBLISHED ON THURSDAY MARCH 19TH!'''<br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
The survey was formulated with the help of our project partners to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
== Survey Questions ==<br />
<br />
The full list of survey questions can be found at:<br />
<br />
[[https://www.owasp.org/images/7/79/Owasp_ssb_draft7.pdf PDF Download]]<br />
<br />
<br />
== Data Collection & Distribution ==<br />
<br />
We are utilizing the SurveyMonkey system to host the survey. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We are controlling survey access via username/password, as well as through a trusted network of contacts. All information collected will be made available in report (PDF, HTML) as well as raw (CSV, XML, etc.) form.<br />
<br />
<br />
== Project Status == <br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=56594Category:OWASP Security Spending Benchmarks2009-03-12T16:13:09Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the survey answers to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
<br />
How do the above answers correlate with:<br />
<br />
<ul><br />
<li>Company size</li><br />
<li>Industry vertical</li><br />
<li>Sensitivity of the underlying data</li><br />
<li>Existence of executive level security oversight</li><br />
<li>Role of security in the company’s software development cycle</li><br />
</ul><br />
<br />
<br />
== Survey Questions ==<br />
<br />
[[https://www.owasp.org/images/7/79/Owasp_ssb_draft7.pdf PDF Download]]<br />
<br />
<br />
== Data Collection & Distribution ==<br />
<br />
For data collection our current plan is to utilize the SurveyMonkey system for hosting of the survey. We will not be collecting any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we plan to take precautions to limit the potential while not creating unnecessary overhead. We are controlling survey access via username/password, as well as through a trusted network of contacts. All information collected will be made available in report (PDF, HTML) as well as raw (CSV, XML, etc.) form.<br />
<br />
<br />
== Project Status == <br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.<br/><br />
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=56367Category:OWASP Security Spending Benchmarks2009-03-09T16:04:30Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the survey answers to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
<br />
How do the above answers correlate with:<br />
<br />
<ul><br />
<li>Company size</li><br />
<li>Industry vertical</li><br />
<li>Sensitivity of the underlying data</li><br />
<li>Existence of executive level security oversight</li><br />
<li>Role of security in the company’s software development cycle</li><br />
</ul><br />
<br />
<br />
== Survey Questions ==<br />
<br />
[[https://www.owasp.org/images/7/79/Owasp_ssb_draft7.pdf PDF Download]]<br />
<br />
<br />
== Data Collection & Distribution ==<br />
<br />
For data collection our current plan is to utilize the SurveyMonkey system for hosting of the survey. We will not be collecting any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we plan to take precautions to limit the potential while not creating unnecessary overhead. We are controlling survey access via username/password, as well as through a trusted network of contacts. All information collected will be made available in report (PDF, HTML) as well as raw (CSV, XML, etc.) form.<br />
<br />
<br />
== Project Status == <br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. January 12th - Open up survey to respondents (DONE) <br /><br />
3. February 6 (extended from Jan 26) - Close survey (DONE) <br /><br />
4. February 6th - Survey Analysis Begins (DONE) <br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br /><br />
6. February 20th- Decision point whether to include late submissions (DONE) <br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/><br />
8. March 15th - Publish report after integrating partner feedback. Generate community interest and discussion around results.<br/><br />
9. After March 15th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=53675Category:OWASP Security Spending Benchmarks2009-02-09T15:52:02Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the survey answers to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
<br />
How do the above answers correlate with:<br />
<br />
<ul><br />
<li>Company size</li><br />
<li>Industry vertical</li><br />
<li>Sensitivity of the underlying data</li><br />
<li>Existence of executive level security oversight</li><br />
<li>Role of security in the company’s software development cycle</li><br />
</ul><br />
<br />
<br />
== Survey Questions ==<br />
<br />
[[https://www.owasp.org/images/7/79/Owasp_ssb_draft7.pdf PDF Download]]<br />
<br />
<br />
== Data Collection & Distribution ==<br />
<br />
For data collection our current plan is to utilize the SurveyMonkey system for hosting of the survey. We will not be collecting any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we plan to take precautions to limit the potential while not creating unnecessary overhead. We are controlling survey access via username/password, as well as through a trusted network of contacts. All information collected will be made available in report (PDF, HTML) as well as raw (CSV, XML, etc.) form.<br />
<br />
<br />
== Project Status == <br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. Open up survey to respondents (Jan 12, 2009) <br /><br />
3. Close survey (Feb 6, 2009 - extended from Jan 26, 2009) <br /><br />
4. February 6th - Survey Analysis Begins<br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report.<br /><br />
6. February 20th- Decision point whether to include late submissions<br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication.<br/><br />
8. March 15th - Publish report after integrating partner feedback. Generate community interest and discussion around results.<br/><br />
9. After March 15th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbordhttps://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&diff=53207Category:OWASP Security Spending Benchmarks2009-02-07T00:04:23Z<p>Bgelbord: </p>
<hr />
<div>[[:Category:OWASP Project]]<br> <br />
<br />
== About the Security Spending Benchmarks Project ==<br />
<br />
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:<br />
<br />
<ul><br />
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li><br />
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li><br />
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li><br />
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li><br />
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li><br />
</ul><br />
<br />
<br />
Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the survey answers to address the following questions and many others: <br />
<br />
<ul><br />
<br />
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li><br />
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li><br />
<li>Where do Web application security budget come from?</li><br />
<li>How much budget is allocated towards security education?</li><br />
</ul><br />
<br />
<br />
How do the above answers correlate with:<br />
<br />
<ul><br />
<li>Company size</li><br />
<li>Industry vertical</li><br />
<li>Sensitivity of the underlying data</li><br />
<li>Existence of executive level security oversight</li><br />
<li>Role of security in the company’s software development cycle</li><br />
</ul><br />
<br />
<br />
== Survey Questions ==<br />
<br />
[[https://www.owasp.org/images/7/79/Owasp_ssb_draft7.pdf PDF Download]]<br />
<br />
<br />
== Data Collection & Distribution ==<br />
<br />
For data collection our current plan is to utilize the SurveyMonkey system for hosting of the survey. We will not be collecting any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we plan to take precautions to limit the potential while not creating unnecessary overhead. We are controlling survey access via username/password, as well as through a trusted network of contacts. All information collected will be made available in report (PDF, HTML) as well as raw (CSV, XML, etc.) form.<br />
<br />
<br />
== Project Status == <br />
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br /><br />
2. Open up survey to respondents (Jan 12, 2009) <br /><br />
3. Close survey (Feb 6, 2009 - extended from Jan 26, 2009) <br /><br />
4. February 6th - Survey Analysis Begins<br /><br />
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report.<br /><br />
6. February 20th- Decision point whether to include late submissions<br /><br />
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication.<br/><br />
8. March 10th - Publish report after integrating partner feedback. Generate community interest and discussion around results.<br/><br />
9. After March 10th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/><br />
<br />
== Project Leadership ==<br />
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.<br />
<br />
== Project Contributors ==<br />
<br />
[[Image:AppSecLogo.jpg]]<br clear="all"><br />
<br />
[[Image:Cenzic.jpg]]<br clear="all"><br />
<br />
[[Image:Cigital_logo.gif]]<br clear="all"><br />
<br />
[[Image:Denim_logo.gif]]<br clear="all"><br />
<br />
[[Image:echelonone.jpg]]<br clear="all"><br />
<br />
[[Image:eema.jpg]]<br clear="all"> <br />
<br />
[[Image:Fortify_logo.png]]<br clear="all"><br />
<br />
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all"><br />
<br />
[[Image:Ifis_logo.jpg]]<br clear="all"><br />
<br />
[[Image:MetroSITEGroup.jpg]] <br clear="all"><br />
<br />
[[Image:NCircle-logo.gif]]<br clear="all"><br />
<br />
[[Image:Imperva_Logo.gif]]<br clear="all"><br />
<br />
[[Image:Sectheory-logo-2.jpg]]<br clear="all"><br />
<br />
[[Image:Logo_securosis.png]]<br clear="all"><br />
<br />
[[Image:Tssci.png]]<br clear="all"><br />
<br />
[[Image:TTT_logo_2008.png]]<br clear="all"><br />
<br />
[[Image:Whitehat_security_logo.gif]]<br clear="all"></div>Bgelbord