OWASP - User contributions [en]

User:Jeremiahgrossman

2016-04-19T07:23:14Z

Jeremiahgrossman:

Jeremiah Grossman

Founder of WhiteHat Security. World-Renowned Professional Hacker. Brazilian Jiu-Jitsu Black Belt. Published Author. Influential Blogger. Off-Road Race Car Driver.

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. And since Jeremiah earned a Brazilian Jiu-Jitsu black belt, the media has described him as "the embodiment of converged IT and physical security.” Preventing attacks from the scariest cyber-criminals is all in a day's work for Jeremiah, but staying a keystroke ahead of the bad guys isn't easy. In 2001, Jeremiah founded WhiteHat Security, which today has one of the largest professional hacking armies on the planet. Let it sink in. Professional. Hacker. Army.

Jeremiah has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for privately informing them of weaknesses in their systems -- a polite way of saying, ‘hacking them'. His research has included new ways to surreptitiously turn on anyone's computer video camera and microphone from anywhere across the Internet, sidestep corporate firewalls, abuse online advertising networks to take any website offline, hijack the email and bank accounts of millions, silently rip out saved passwords and surfing history from web browsers, and many other innovative cyber-attack techniques – some so insidious and fundamental that many still have not been fixed to this day.

Collectively, it's no surprise Jeremiah has been featured in the Wall Street Journal, Forbes, NY Times and hundreds of other media outlets around the world who rely upon his expertise regularly. Just type “Jeremiah Grossman” into your favorite search engine, you'll see. He also serves on the advisory board of several hot start-ups including Kenna Security, SD Elements, and BugCrowd. Of course, all of this was after Mr. Grossman served as information security officer at Yahoo!

Podcast 18

2009-04-16T17:20:29Z

Jeremiahgrossman:

'''[[OWASP_Podcast|OWASP Podcast Series]] #18'''

OWASP Interview with [http://jeremiahgrossman.blogspot.com/ Jeremiah Grossman] (Chief Technology Officer, [http://www.whitehatsec.com/ WhiteHat Security]) 
Recorded March 30th, 2009

[http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012 http://images.apple.com/itunes/overview/images/overview-icon-itunes20081106.jpg] [http://www.owasp.org/download/jmanico/podcast.xml https://www.owasp.org/images/d/d3/Feed-icon-32x32.png] 

==Participants==
<ul>
<li>Jeremiah Grossman is the founder and CTO of WhiteHat Security. He is considered a world-renowned expert in Web security, is a co-founder of the Web Application Security Consortium, and was named to InfoWorld's Top 25 CTOs for 2007.</li>
</ul>

Category:OWASP Security Spending Benchmarks

2009-01-15T22:27:46Z

Jeremiahgrossman: /* Project Contributors */

File:NCircle-logo.gif

2009-01-15T22:27:14Z

Jeremiahgrossman:

Category:OWASP Security Spending Benchmarks

2009-01-10T00:14:59Z

Jeremiahgrossman: /* Project Contributors */

File:Logo securosis.png

2009-01-10T00:14:38Z

Jeremiahgrossman:

Category:OWASP Security Spending Benchmarks

2009-01-09T22:40:09Z

Jeremiahgrossman: /* Project Contributors */

File:Cigital logo.gif

2009-01-09T22:39:45Z

Jeremiahgrossman:

Category:OWASP Security Spending Benchmarks

2009-01-09T17:48:54Z

Jeremiahgrossman: /* Project Contributors */

File:Fortify logo.png

2009-01-09T17:48:17Z

Jeremiahgrossman:

Category:OWASP Security Spending Benchmarks

2009-01-07T21:20:00Z

Jeremiahgrossman: /* Project Status */

Category:OWASP Security Spending Benchmarks

2009-01-07T17:32:19Z

Jeremiahgrossman: /* Project Contributors */

File:Tssci.png

2009-01-07T17:32:00Z

Jeremiahgrossman:

Category:OWASP Security Spending Benchmarks

2009-01-07T16:40:55Z

Jeremiahgrossman: /* Project Contributors */

File:Denim logo.gif

2009-01-07T16:40:35Z

Jeremiahgrossman:

Category:OWASP Security Spending Benchmarks

2009-01-06T19:34:23Z

Jeremiahgrossman: /* Project Contributors */

File:Sectheory-logo-2.jpg

2009-01-06T19:34:01Z

Jeremiahgrossman:

Category:OWASP Security Spending Benchmarks

2009-01-06T19:18:46Z

Jeremiahgrossman: /* Project Status */

Category:OWASP Security Spending Benchmarks

2009-01-06T19:17:50Z

Jeremiahgrossman:

Category:OWASP Security Spending Benchmarks

2009-01-05T22:06:39Z

Jeremiahgrossman: /* Project Leadership */

Category:OWASP Security Spending Benchmarks

2009-01-05T21:57:21Z

Jeremiahgrossman: /* Project Contributors */

File:Imperva Logo.gif

2009-01-05T21:56:30Z

Jeremiahgrossman:

Category:OWASP Security Spending Benchmarks

2009-01-05T21:54:26Z

Jeremiahgrossman: /* Project Contributors */

File:AppSecLogo.jpg

2009-01-05T21:53:24Z

Jeremiahgrossman:

Category:OWASP Security Spending Benchmarks

2009-01-05T18:41:20Z

Jeremiahgrossman:

File:Owasp ssb draft7.pdf

2009-01-05T18:37:02Z

Jeremiahgrossman:

Category:OWASP Security Spending Benchmarks

2008-12-23T23:04:52Z

Jeremiahgrossman:

[[:Category:OWASP Project]] 

== About the Security Spending Benchmarks Project ==

The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:

<ul>
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li>
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li>
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li>
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li>
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li>
</ul>

Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the survey answers to address the following questions and many others:

<ul>

<li>What percentage of a Web application development groups headcount is dedicated towards security?</li>
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li>
<li>Where do Web application security budget come from?</li>
<li>How much budget is allocated towards security education?</li>
</ul>

How do the above answers correlate with:

<ul>
<li>Company size</li>
<li>Industry vertical</li>
<li>Sensitivity of the underlying data</li>
<li>Existence of executive level security oversight</li>
<li>Role of security in the company’s software development cycle</li>
</ul>

== (Proposed) Survey Questions ==

This survey is meant to be completed out by organizations who develop, sell, or host Web applications. It is not intended for general software consumers. Respondents do not not need to provide any individually identifiable information and no identifiable information will be published. The survey only takes about 10-15 minutes. Thank you very much for taking the time to complete this survey and help us better understand security spending in software development.

<ol>

<li>What is the approximate total number of employees in your organization?</li>
a. 1 - 10 
b. 10 - 100 
c. 100 - 500 
d. 500 - 1000 
e. 1000 - 5000 
f. 5000-50,000 
g. Over 50,000 

<li>What market do you serve?</li>
a. Finance 
b. Medical 
c. Energy 
d. Government 
e. Education 
f. Professional Services 
g. Non-profit 
h. Retail 
i. Manufacturing 
j. Hospitality and Tourism 
k. Technology 
l. Telecommunication 
m. Other (please specify) 

<li>What is your role within the organization?</li>
a. Executive 
b. Security professional 
c. Project manager 
d. Developer 
e. Finance 
f. Sales 
g. Marketing 
h. Other (please specify) 

<li>How important is Web application security to your executive management?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>How important is Web application security generally to your customers?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>Is security a part of your marketing or branding strategy for your product?</li>
a. Yes 
b. No 

<li>Which of the following security personnel does your organization have? (check all that apply)</li>
a. A Chief Information Security Officer or other dedicated security executive on the company’s executive board. 
b. A senior manager or director dedicated to security 
c. Network security engineers 
d. Developers dedicated primarily to security 
e. Quality assurance testers dedicated primarily to security 
f. An Information Security Officer who also has other responsibilities. 
g. None 
h. Don’t know 

<li>Has your organization suffered a significant and publicized security incident within the last two years?</li>
a. Yes 
b. No 
c. Don't know 

<li>Rank the impact of the following factors on driving your organization's security spending decisions (rank each from 1-5)</li>
a. Risk Mitigation 
b. Due Diligence 
c. Incident Response 
d. Compliance 
e. Competitive Advantage 

<li>Does your organization have a specific IT security budget?</li>
a. Yes 
b. No 

<ul>
<li>If yes, approximately what percentage of your IT security budget is dedicated towards Web application security?</li>
a. 1 - 5% 
b. 5 - 10% 
c. 10 - 20% 
d. 20 - 50% 
e. Over 50% 
f. Don't know 

<li>If yes, How do you expect your organization’s Web application security spending will change in 2009 in relation to the previous year?</li>
a. Over 20% spending increase 
b. Spending increase up to 20% 
c. Spending decrease less than 20% 
d. Over 20% spending decrease 
e. Don't know 
f. We don’t measure security spending 
</ul>

<li>Does your organization produce software or systems that deal primarily with:</li>
a. Highly sensitive data 
b. Somewhat sensitive data 
c. Not very sensitive data 
d. Depends on who is deploying it 

<li>Which of the following regulations apply to your software (check all that apply)?</li>
a. PCI-DSS 
b. HIPAA 
c. SOX 
d. FERPA 
e. GLBA 
f. FISMA 
g. Depends on who is deploying it 
h. Other regulations (please specify) 
i. None of the above 
j. Don't know 

<li>Approximately how many Web application developers does your organization employ?</li>
a. 1 - 10 
b. 10 - 50 
c. 50 - 100 
d. 100 - 500 
e. Over 500 

<li>How important is previous security experience when hiring Web application developers?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>Approximately what percentage of your development budget or head count is dedicated to security?</li>
a. Under 2% 
b. 2%-5% 
c. 5%-10% 
d. 10%-15% 
e. Over 15% 
f. Don’t know 

<li>Do your developers undergo software security training? (check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<ul>
<li>If yes, approximately how many of your developers participate?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 

<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. General fund 
e. Varies 
f. Don't know 
</ul>

<li>What security checkpoint reviews are present during the Web application software development life-cycle?</li>
a. At every stage of the development process 
b. During the design phase 
c. During the testing phase 
d. Ad hoc 
e. No security reviews 
f. Don't know 

<ul>
<li>If yes, where is the organizational responsibility for these reviews? (check all that apply)</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<li>How much of your organizations Web application software development is outsourced or subcontracted?</li>
a. All or almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know

<li>How do you review the security of outsourced or subcontracted Web application code? (check all that apply)</li>
a. We don’t review the security 
b. We contractually require adherence to best-practices and/or particular security measures. 
d. We conduct a security review internally 
e. We have an independent third-party firm conduct a security review 
f. Don't know 

<li>How often are independent third-party security reviews performed before deploying a Web application? (check all that apply)</li>
a. Immediately before deployment 
a. During the testing phase 
a. During the design phase 
c. When requested by customers 
d. Never 
e. Don't know 

<ul>
<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Business Unit 

f. Varies 
g. Don't know 
</ul>

<ul>
<li>If budget specified, approximate what percentage of that budget is allocated?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know
</ul>

<li>Do your IT security personnel undergo specialized training? (check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<li>How many of your organizations deployed Web applications have Web application firewalls monitoring of defending them?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know

<ul>
<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 

e. Business Unit 
f. Varies 
g. Don't know 
</ul>

<ul>
<li>If budget specified, approximate what percentage of that budget is allocated?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know
</ul>

</ol>

== Additional Survey Questions to Consider ==

== Deleted Questions ==
<ol>
<li>What is the total approximate annual revenue of your organization in USD?</li>
a. Under 1 million 
b. 1 million – 5 million 
c. 5 million- 25 million 
d. 25 million- 100 million 
e. Over 100 million 

<li>Which of the following background checks are conducted when hiring developers? (please check all that apply)</li>
a. Basic criminal background check 
b. Extensive overall background check via third party 
c. Contacting references 
d. None 
e. Don't know 

<li>If you answered yes to the question on external security reviews, what is the approximate annual expenditure (USD) on these reviews?</li>
a. Under $25,000 
b. $25,000- $50,000 
c. $50,000 - $100,000 
d. $100,000 - $250,000 
e. $250,000 - $1,000,000 
f. Over 1 million 

<li>Which of the following sensitive data types do your Web applications process? (check all that apply)</li>
a. Names, addresses, and other personally identifiable information 
b. Credit card information 
c. Health care related information 
d. Financial account information 
e. Intellectual property 
f. Confidential information 
g. Other (please specify) 
</ol>

== Suggested By the Community ==
<ol>
<li>
Assuming the use of AntiVirus and standard Firewalls, which of the following security technologies are currently used in your organization? (check all that apply) </li>
a. Log management aggregation 
b. Security Incident Management 
c. Application Layer Firewalls 
d. IDS / IPS 
e. Automated Compliance Monitoring 
f. Data Loss Prevention 
g. Web traffic monitoring and/or filtering 
h. Penetration testing tools 
i. Vulnerability Scanners 
j. Other (please specify) 

<li>How is your web application development environment protected during development?</li>
a. By an air gap, no connection to the corporate network or internet 
b. By a Web application firewall enclave 
c. With the standard firewalls, IDS/IPS, etc. that protects the whole organization 
d. Developers are allowed direct access to the internet to speed the development process and leverage outside code sources 
e. I don’t know 

<li> There was some feedback on the preference of deleted question #4 over #11. Tying data types to regulation is easier to do.

</ol>

== Data Collection & Distribution ==

For data collection our current plan is to utilize the SurveyMonkey system for hosting of the survey. We will not be collecting any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we plan to take precautions to limit the potential while not creating unnecessary overhead. We may decide to control survey access via username/password, as well as through a trusted network of contacts. All information collected will be redistributed in report (PDF, HTML) as well as raw (CSV, XML, etc.) form.

== Project Status ==
Completing the project description text and finalizing the proposed survey questions.

== Project Leadership ==
The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback.

== Project Contributors ==

[[Image:Whitehat_security_logo.gif]] 
Jeremiah Grossman (Founder & CTO)

Category:OWASP Security Spending Benchmarks

2008-12-23T22:10:51Z

Jeremiahgrossman:

[[:Category:OWASP Project]] 

== About the Security Spending Benchmarks Project ==

The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollar and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:

<ul>
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li>
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li>
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li>
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li>
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li>
</ul>

Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the survey answers to address the following questions and many others:

<ul>

<li>What percentage of a Web application development groups headcount is dedicated towards security?</li>
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li>
<li>Where do Web application security budget come from?</li>
<li>How much budget is allocated towards security education?</li>
</ul>

How do the above answers correlate with:

<ul>
<li>Company size</li>
<li>Industry vertical</li>
<li>Sensitivity of the underlying data</li>
<li>Existence of executive level security oversight</li>
<li>Role of security in the company’s software development cycle</li>
</ul>

== (Proposed) Survey Questions ==

This survey is meant to be completed out by organizations who develop, sell, or host Web applications. It is not intended for general software consumers. Respondents do not not need to provide any individually identifiable information and no identifiable information will be published. The survey only takes about 10-15 minutes. Thank you very much for taking the time to complete this survey and help us better understand security spending in software development.

<ol>

<li>What is the approximate total number of employees in your organization?</li>
a. 1 - 10 
b. 10 - 100 
c. 100 - 500 
d. 500 - 1000 
e. 1000 - 5000 
f. 5000-50,000 
g. Over 50,000 

<li>What market do you serve?</li>
a. Finance 
b. Medical 
c. Energy 
d. Government 
e. Education 
f. Professional Services 
g. Non-profit 
h. Retail 
i. Manufacturing 
j. Hospitality and Tourism 
k. Technology 
l. Telecommunication 
m. Other (please specify) 

<li>What is your role within the organization?</li>
a. Executive 
b. Security professional 
c. Project manager 
d. Developer 
e. Finance 
f. Sales 
g. Marketing 
h. Other (please specify) 

<li>How important is Web application security to your executive management?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>How important is Web application security generally to your customers?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>Is security a part of your marketing or branding strategy for your product?</li>
a. Yes 
b. No 

<li>Which of the following security personnel does your organization have? (check all that apply)</li>
a. A Chief Information Security Officer or other dedicated security executive on the company’s executive board. 
b. A senior manager or director dedicated to security 
c. Network security engineers 
d. Developers dedicated primarily to security 
e. Quality assurance testers dedicated primarily to security 
f. An Information Security Officer who also has other responsibilities. 
g. None 
h. Don’t know 

<li>Has your organization suffered a significant and publicized security incident within the last two years?</li>
a. Yes 
b. No 
c. Don't know 

<li>Rank the impact of the following factors on driving your organization's security spending decisions (rank each from 1-5)</li>
a. Risk Mitigation 
b. Due Diligence 
c. Incident Response 
d. Compliance 
e. Competitive Advantage 

<li>Does your organization have a specific IT security budget?</li>
a. Yes 
b. No 

<ul>
<li>If yes, approximately what percentage of your IT security budget is dedicated towards Web application security?</li>
a. 1 - 5% 
b. 5 - 10% 
c. 10 - 20% 
d. 20 - 50% 
e. Over 50% 
f. Don't know 

<li>If yes, How do you expect your organization’s Web application security spending will change in 2009 in relation to the previous year?</li>
a. Over 20% spending increase 
b. Spending increase up to 20% 
c. Spending decrease less than 20% 
d. Over 20% spending decrease 
e. Don't know 
f. We don’t measure security spending 
</ul>

<li>Does your organization produce software or systems that deal primarily with:</li>
a. Highly sensitive data 
b. Somewhat sensitive data 
c. Not very sensitive data 
d. Depends on who is deploying it 

<li>Which of the following regulations apply to your software (check all that apply)?</li>
a. PCI-DSS 
b. HIPAA 
c. SOX 
d. FERPA 
e. GLBA 
f. FISMA 
g. Depends on who is deploying it 
h. Other regulations (please specify) 
i. None of the above 
j. Don't know 

<li>Approximately how many Web application developers does your organization employ?</li>
a. 1 - 10 
b. 10 - 50 
c. 50 - 100 
d. 100 - 500 
e. Over 500 

<li>How important is previous security experience when hiring Web application developers?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>Approximately what percentage of your development budget or head count is dedicated to security?</li>
a. Under 2% 
b. 2%-5% 
c. 5%-10% 
d. 10%-15% 
e. Over 15% 
f. Don’t know 

<li>Do your developers undergo software security training? (check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<ul>
<li>If yes, approximately how many of your developers participate?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 

<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. General fund 
e. Varies 
f. Don't know 
</ul>

<li>What security checkpoint reviews are present during the Web application software development life-cycle?</li>
a. At every stage of the development process 
b. During the design phase 
c. During the testing phase 
d. Ad hoc 
e. No security reviews 
f. Don't know 

<ul>
<li>If yes, where is the organizational responsibility for these reviews? (check all that apply)</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<li>How much of your organizations Web application software development is outsourced or subcontracted?</li>
a. All or almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know

<li>How do you review the security of outsourced or subcontracted Web application code? (check all that apply)</li>
a. We don’t review the security 
b. We contractually require adherence to best-practices and/or particular security measures. 
d. We conduct a security review internally 
e. We have an independent third-party firm conduct a security review 
f. Don't know 

<li>How often are independent third-party security reviews performed before deploying a Web application? (check all that apply)</li>
a. Immediately before deployment 
a. During the testing phase 
a. During the design phase 
c. When requested by customers 
d. Never 
e. Don't know 

<ul>
<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Business Unit 

f. Varies 
g. Don't know 
</ul>

<ul>
<li>If budget specified, approximate what percentage of that budget is allocated?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know
</ul>

<li>Do your IT security personnel undergo specialized training? (check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<li>How many of your organizations deployed Web applications have Web application firewalls monitoring of defending them?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know

<ul>
<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 

e. Business Unit 
f. Varies 
g. Don't know 
</ul>

<ul>
<li>If budget specified, approximate what percentage of that budget is allocated?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know
</ul>

</ol>

== Additional Survey Questions to Consider ==

== Deleted Questions ==
<ol>
<li>What is the total approximate annual revenue of your organization in USD?</li>
a. Under 1 million 
b. 1 million – 5 million 
c. 5 million- 25 million 
d. 25 million- 100 million 
e. Over 100 million 

<li>Which of the following background checks are conducted when hiring developers? (please check all that apply)</li>
a. Basic criminal background check 
b. Extensive overall background check via third party 
c. Contacting references 
d. None 
e. Don't know 

<li>If you answered yes to the question on external security reviews, what is the approximate annual expenditure (USD) on these reviews?</li>
a. Under $25,000 
b. $25,000- $50,000 
c. $50,000 - $100,000 
d. $100,000 - $250,000 
e. $250,000 - $1,000,000 
f. Over 1 million 

<li>Which of the following sensitive data types do your Web applications process? (check all that apply)</li>
a. Names, addresses, and other personally identifiable information 
b. Credit card information 
c. Health care related information 
d. Financial account information 
e. Intellectual property 
f. Confidential information 
g. Other (please specify) 
</ol>

== Suggested By the Community ==
<ol>
<li>
Assuming the use of AntiVirus and standard Firewalls, which of the following security technologies are currently used in your organization? (check all that apply) </li>
a. Log management aggregation 
b. Security Incident Management 
c. Application Layer Firewalls 
d. IDS / IPS 
e. Automated Compliance Monitoring 
f. Data Loss Prevention 
g. Web traffic monitoring and/or filtering 
h. Penetration testing tools 
i. Vulnerability Scanners 
j. Other (please specify) 

<li>How is your web application development environment protected during development?</li>
a. By an air gap, no connection to the corporate network or internet 
b. By a Web application firewall enclave 
c. With the standard firewalls, IDS/IPS, etc. that protects the whole organization 
d. Developers are allowed direct access to the internet to speed the development process and leverage outside code sources 
e. I don’t know 

<li> There was some feedback on the preference of deleted question #4 over #11. Tying data types to regulation is easier to do.

</ol>

== Data Collection & Distribution ==

For data collection our current plan is to utilize the SurveyMonkey system for hosting of the survey. We will not be collecting any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we plan to take precautions to limit the potential while not creating unnecessary overhead. We may decide to control survey access via username/password, as well as through a trusted network of contacts. All information collected will be redistributed in report (PDF, HTML) as well as raw (CSV, XML, etc.) form.

== Project Status ==
Completing the project description text and finalizing the proposed survey questions.

== Project Leadership ==
The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback.

== Project Contributors ==

[[Image:Whitehat_security_logo.gif]] 
Jeremiah Grossman (Founder & CTO)

File:Whitehat security logo.gif

2008-12-23T22:08:35Z

Jeremiahgrossman: WhiteHat Security Logo

WhiteHat Security Logo

Category:OWASP Security Spending Benchmarks

2008-12-19T18:13:24Z

Jeremiahgrossman: /* Suggested By the Community */

[[:Category:OWASP Project]] 

== About the Security Spending Benchmarks Project ==

The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollar and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:

<ul>
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li>
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li>
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li>
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li>
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li>
</ul>

Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the survey answers to address the following questions and many others:

<ul>

<li>What percentage of a Web application development groups headcount is dedicated towards security?</li>
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li>
<li>Where do Web application security budget come from?</li>
<li>How much budget is allocated towards security education?</li>
</ul>

How do the above answers correlate with:

<ul>
<li>Company size</li>
<li>Industry vertical</li>
<li>Sensitivity of the underlying data</li>
<li>Existence of executive level security oversight</li>
<li>Role of security in the company’s software development cycle</li>
</ul>

== (Proposed) 25 Survey Questions ==

This survey is meant to be completed out by organizations who develop, sell, or host Web applications. It is not intended for general software consumers. Respondents do not not need to provide any individually identifiable information and no identifiable information will be published. The survey only takes about 10-15 minutes. Thank you very much for taking the time to complete this survey and help us better understand security spending in software development.

<ol>

<li>What is the approximate total number of employees in your organization?</li>
a. 1 - 10 
b. 10 - 100 
c. 100 - 500 
d. 500 - 1000 
e. 1000 - 5000 
f. 5000-50,000 
g. Over 50,000 

<li>What market do you serve?</li>
a. Finance 
b. Medical 
c. Energy 
d. Government 
e. Education 
f. Professional Services 
g. Non-profit 
h. Retail 
i. Manufacturing 
j. Hospitality and Tourism 
k. Technology 
l. Telecommunication 
m. Other (please specify) 

<li>What is your role within the organization?</li>
a. Executive 
b. Security professional 
c. Project manager 
d. Developer 
e. Finance 
f. Sales 
g. Marketing 
h. Other (please specify) 

<li>How important is Web application security to your executive management?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>How important is Web application security generally to your customers?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>Is security a part of your marketing or branding strategy for your product?</li>
a. Yes 
b. No 

<li>Which of the following security personnel does your organization have? (check all that apply)</li>
a. A Chief Information Security Officer or other dedicated security executive on the company’s executive board. 
b. A senior manager or director dedicated to security 
c. Network security engineers 
d. Developers dedicated primarily to security 
e. Quality assurance testers dedicated primarily to security 
f. An Information Security Officer who also has other responsibilities. 
g. None 
h. Don’t know 

<li>Has your organization suffered a significant and publicized security incident within the last two years?</li>
a. Yes 
b. No 
c. Don't know 

<li>Rank the impact of the following factors on driving your organization's security spending decisions (rank each from 1-5)</li>
a. Risk Mitigation 
b. Due Diligence 
c. Incident Response 
d. Compliance 
e. Competitive Advantage 

<li>Does your organization have a specific IT security budget?</li>
a. Yes 
b. No 

<ul>
<li>If yes, approximately what percentage of your IT security budget is dedicated towards Web application security?</li>
a. 1 - 5% 
b. 5 - 10% 
c. 10 - 20% 
d. 20 - 50% 
e. Over 50% 
f. Don't know 

<li>If yes, How do you expect your organization’s Web application security spending will change in 2009 in relation to the previous year?</li>
a. Over 20% spending increase 
b. Spending increase up to 20% 
c. Spending decrease less than 20% 
d. Over 20% spending decrease 
e. Don't know 
f. We don’t measure security spending 
</ul>

<li>Does your organization produce software or systems that deal primarily with:</li>
a. Highly sensitive data 
b. Somewhat sensitive data 
c. Not very sensitive data 
d. Depends on who is deploying it 

<li>Which of the following regulations apply to your software (check all that apply)?</li>
a. PCI-DSS 
b. HIPAA 
c. SOX 
d. FERPA 
e. GLBA 
f. FISMA 
g. Depends on who is deploying it 
h. Other regulations (please specify) 
i. None of the above 
j. Don't know 

<li>Approximately how many Web application developers does your organization employ?</li>
a. 1 - 10 
b. 10 - 50 
c. 50 - 100 
d. 100 - 500 
e. Over 500 

<li>How important is previous security experience when hiring Web application developers?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>Approximately what percentage of your development budget or head count is dedicated to security?</li>
a. Under 2% 
b. 2%-5% 
c. 5%-10% 
d. 10%-15% 
e. Over 15% 
f. Don’t know 

<li>Do your developers undergo software security training? (check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<ul>
<li>If yes, approximately how many of your developers participate?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 

<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. General fund 
e. Varies 
f. Don't know 
</ul>

<li>What security checkpoint reviews are present during the Web application software development life-cycle?</li>
a. At every stage of the development process 
b. During the design phase 
c. During the testing phase 
d. Ad hoc 
e. No security reviews 
f. Don't know 

<ul>
<li>If yes, where is the organizational responsibility for these reviews? (check all that apply)</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<li>How much of your organizations Web application software development is outsourced or subcontracted?</li>
a. All or almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know

<li>How do you review the security of outsourced or subcontracted Web application code? (check all that apply)</li>
a. We don’t review the security 
b. We contractually require adherence to best-practices and/or particular security measures. 
d. We conduct a security review internally 
e. We have an independent third-party firm conduct a security review 
f. Don't know 

<li>How often are independent third-party security reviews performed before deploying a Web application? (check all that apply)</li>
a. Immediately before deployment 
a. During the testing phase 
a. During the design phase 
c. When requested by customers 
d. Never 
e. Don't know 

<ul>
<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Business Unit 

f. Varies 
g. Don't know 
</ul>

<ul>
<li>If budget specified, approximate what percentage of that budget is allocated?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know
</ul>

<li>Do your IT security personnel undergo specialized training? (check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<li>How many of your organizations deployed Web applications have Web application firewalls monitoring of defending them?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know

<ul>
<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 

e. Business Unit 
f. Varies 
g. Don't know 
</ul>

<ul>
<li>If budget specified, approximate what percentage of that budget is allocated?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know
</ul>

</ol>

== Additional Survey Questions to Consider ==

== Deleted Questions ==
<ol>
<li>What is the total approximate annual revenue of your organization in USD?</li>
a. Under 1 million 
b. 1 million – 5 million 
c. 5 million- 25 million 
d. 25 million- 100 million 
e. Over 100 million 

<li>Which of the following background checks are conducted when hiring developers? (please check all that apply)</li>
a. Basic criminal background check 
b. Extensive overall background check via third party 
c. Contacting references 
d. None 
e. Don't know 

<li>If you answered yes to the question on external security reviews, what is the approximate annual expenditure (USD) on these reviews?</li>
a. Under $25,000 
b. $25,000- $50,000 
c. $50,000 - $100,000 
d. $100,000 - $250,000 
e. $250,000 - $1,000,000 
f. Over 1 million 

<li>Which of the following sensitive data types do your Web applications process? (check all that apply)</li>
a. Names, addresses, and other personally identifiable information 
b. Credit card information 
c. Health care related information 
d. Financial account information 
e. Intellectual property 
f. Confidential information 
g. Other (please specify) 
</ol>

== Suggested By the Community ==
<ol>
<li>
Assuming the use of AntiVirus and standard Firewalls, which of the following security technologies are currently used in your organization? (check all that apply) </li>
a. Log management aggregation 
b. Security Incident Management 
c. Application Layer Firewalls 
d. IDS / IPS 
e. Automated Compliance Monitoring 
f. Data Loss Prevention 
g. Web traffic monitoring and/or filtering 
h. Penetration testing tools 
i. Vulnerability Scanners 
j. Other (please specify) 

<li>How is your web application development environment protected during development?</li>
a. By an air gap, no connection to the corporate network or internet 
b. By a Web application firewall enclave 
c. With the standard firewalls, IDS/IPS, etc. that protects the whole organization 
d. Developers are allowed direct access to the internet to speed the development process and leverage outside code sources 
e. I don’t know 

<li> There was some feedback on the preference of deleted question #4 over #11. Tying data types to regulation is easier to do.

</ol>

== Data Collection & Distribution ==

For data collection our current plan is to utilize the SurveyMonkey system for hosting of the survey. We will not be collecting any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we plan to take precautions to limit the potential while not creating unnecessary overhead. We may decide to control survey access via username/password, as well as through a trusted network of contacts. All information collected will be redistributed in report (PDF, HTML) as well as raw (CSV, XML, etc.) form.

== Project Status ==
Completing the project description text and finalizing the proposed 25 survey questions.

== Project Contributors ==
The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback.

<ul>
<li>Jeremiah Grossman (CTO, WhiteHat Security)</li>
</ul>

Category:OWASP Security Spending Benchmarks

2008-12-18T23:24:43Z

Jeremiahgrossman:

[[:Category:OWASP Project]] 

== About the Security Spending Benchmarks Project ==

The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollar and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:

<ul>
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li>
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li>
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li>
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li>
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li>
</ul>

Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the survey answers to address the following questions and many others:

<ul>

<li>What percentage of a Web application development groups headcount is dedicated towards security?</li>
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li>
<li>Where do Web application security budget come from?</li>
<li>How much budget is allocated towards security education?</li>
</ul>

How do the above answers correlate with:

<ul>
<li>Company size</li>
<li>Industry vertical</li>
<li>Sensitivity of the underlying data</li>
<li>Existence of executive level security oversight</li>
<li>Role of security in the company’s software development cycle</li>
</ul>

== (Proposed) 25 Survey Questions ==

This survey is meant to be completed out by organizations who develop, sell, or host Web applications. It is not intended for general software consumers. Respondents do not not need to provide any individually identifiable information and no individual answers will be published. Only aggregate reports will be published. The survey only takes about 10 minutes. Thank you very much for taking the time to complete this survey and help us better understand security spending in software development.

<ol>

<li>What is the approximate total number of employees in your organization?</li>
a. 1 - 10 
b. 10 - 100 
c. 100 - 500 
d. 500 - 1000 
e. 1000 - 5000 
f. Over 5000 

<li>What market do you serve?</li>
a. Finance 
b. Medical 
c. Energy 
d. Government 
e. Education 
f. Professional Services 
g. Non-profit 
h. Retail 
i. Manufacturing 
j. Hospitality and Tourism 
k. Other (please specify) 

<li>What is your role within the organization?</li>
a. Executive 
b. Security professional 
c. Project manager 
d. Developer 
e. Finance 
f. Sales 
g. Marketing 
h. Other (please specify) 

<li>How important is Web application security to your executive management?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>How important is Web application security generally to your customers?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>Is security a part of your marketing or branding strategy for your product?</li>
a. Yes 
b. No 

<li>Which of the following security personnel does your organization have? (check all that apply)</li>
a. A Chief Information Security Officer or other dedicated security executive on the company’s executive board. 
b. A senior manager or director dedicated to security 
c. Network security engineers 
d. Developers dedicated primarily to security 
e. Quality assurance testers dedicated primarily to security 
f. An Information Security Officer who also has other responsibilities. 
g. None 
h. Don’t know 

<li>Have you suffered a significant and publicized security incident within the last two years?</li>
a. Yes 
b. No 
c. Don't know 

<li>Rank the impact of the following factors on your organization security spending decisions</li>
a. Risk Mitigation 
b. Due Diligence 
c. Incident Response 
d. Compliance 
e. Competitive Advantage 

<li>Does your organization have a specific IT security budget?</li>
a. Yes 
b. No 

<ul>
<li>If yes, Approximately what percentage of your IT security is dedicated towards Web application security?</li>
a. 1 - 5% 
b. 5 - 10% 
c. 10 - 20% 
d. 20 - 50% 
e. Over 50% 
f. Don't know 

<li>If yes, How do you expect your organization’s Web application security spending will change in 2009 in relation to the previous year?</li>
a. Over 20% spending increase 
b. Spending increase up to 20% 
c. Spending decrease less than 20% 
d. Over 20% spending decrease 
e. Don't know 
f. We don’t measure security spending 
</ul>

<li>Does your organization produce software or systems that deal primarily with:</li>
a. Highly sensitive data 
b. Somewhat sensitive data 
c. Not very sensitive data 
d. Depends on who is deploying it 

<li>Which of the following regulations apply to your software (check all that apply)?</li>
a. PCI-DSS 
b. HIPAA 
c. SOX 
d. FERPA 
e. GLBA 
f. Depends on who is deploying it 
g. Other regulations (please specify) 
h. None of the above 
i. Don't know 

<li>Approximately how many Web application developers does your organization employ?</li>
a. 1 - 10 
b. 10 - 50 
c. 50 - 100 
d. 100 - 500 
e. Over 500 

<li>How important is previous security experience when hiring Web application developers?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>Approximately what percentage of your development budget or head count is dedicated to security?</li>
a. Under 2% 
b. 2%-5% 
c. 5%-10% 
d. 10%-15% 
e. Over 15% 
f. Don’t know 

<li>Do your developers undergo software security training? (check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<ul>
<li>If yes, approximately how many of your developers participate?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 

<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. General fund 
e. Varies 
f. Don't know 
</ul>

<li>What security checkpoint reviews are present during the Web application software development life-cycle?</li>
a. At every stage of the development process 
b. During the design phase 
c. During the testing phase 
d. Ad hoc 
e. No security reviews 
f. Don't know 

<ul>
<li>If yes, where is the organizational responsibility for these reviews? (check all that apply)</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<li>How much of your organizations Web application software development is outsourced or subcontracted?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know

<li>How do you review the security of outsourced or subcontracted Web application code? (check all that apply)</li>
a. We don’t review the security 
b. We contractually require adherence to best-practices and/or particular security measures. 
d. We conduct a security review internally 
e. We have an independent third-party firm conduct a security review 
f. Don't know 

<li>How often are independent third-party security reviews performed before deploying a Web application? (check all that apply)</li>
a. Immediately before deployment 
a. During the testing phase 
a. During the design phase 
c. When requested by customers 
d. Never 
e. Don't know 

<ul>
<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<ul>
<li>If budget specified, approximate what percentage of that budget is allocated?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know
</ul>

<li>Do your IT security personnel undergo specialized training? (check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<li>How many of your organizations deployed Web applications have Web application firewalls monitoring of defending them?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know

<ul>
<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<ul>
<li>If budget specified, approximate what percentage of that budget is allocated?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know
</ul>

</ol>

== Additional Survey Questions to Consider ==

== Deleted Questions ==
<ol>
<li>What is the total approximate annual revenue of your organization in USD?</li>
a. Under 1 million 
b. 1 million – 5 million 
c. 5 million- 25 million 
d. 25 million- 100 million 
e. Over 100 million 

<li>Which of the following background checks are conducted when hiring developers? (please check all that apply)</li>
a. Basic criminal background check 
b. Extensive overall background check via third party 
c. Contacting references 
d. None 
e. Don't know 

<li>If you answered yes to the question on external security reviews, what is the approximate annual expenditure (USD) on these reviews?</li>
a. Under $25,000 
b. $25,000- $50,000 
c. $50,000 - $100,000 
d. $100,000 - $250,000 
e. $250,000 - $1,000,000 
f. Over 1 million 

<li>Which of the following sensitive data types do your Web applications process? (check all that apply)</li>
a. Names, addresses, and other personally identifiable information 
b. Credit card information 
c. Health care related information 
d. Financial account information 
e. Intellectual property 
f. Confidential information 
g. Other (please specify) 
</ol>

== Data Collection & Distribution ==

For data collection our current plan is to utilize the SurveyMonkey system for hosting of the survey. We will not be collecting any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we plan to take precautions to limit the potential while not creating unnecessary overhead. We may decide to control survey access via username/password, as well as through a trusted network of contacts. All information collected will be redistributed in report (PDF, HTML) as well as raw (CSV, XML, etc.) form.

== Project Status ==
Completing the project description text and finalizing the proposed 25 survey questions.

== Project Contributors ==
The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback.

<ul>
<li>Jeremiah Grossman (CTO, WhiteHat Security)</li>
</ul>

Category:OWASP Security Spending Benchmarks

2008-12-18T21:41:45Z

Jeremiahgrossman:

[[:Category:OWASP Project]] 

== About the Security Spending Benchmarks Project ==

The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollar and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:

<ul>
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li>
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li>
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li>
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li>
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li>
</ul>

Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the survey answers to address the following questions and many others:

<ul>

<li>What percentage of a Web application development groups headcount is dedicated towards security?</li>
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li>
<li>Where do Web application security budget come from?</li>
<li>How much budget is allocated towards security education?</li>
</ul>

How do the above answers correlate with:

<ul>
<li>Company size</li>
<li>Industry vertical</li>
<li>Sensitivity of the underlying data</li>
<li>Existence of executive level security oversight</li>
<li>Role of security in the company’s software development cycle</li>
</ul>

== (Proposed) 25 Survey Questions ==

This survey is meant to be completed out by organizations who develop, sell, or host Web applications. It is not intended for general software consumers. Respondents do not not need to provide any individually identifiable information and no individual answers will be published. Only aggregate reports will be published. The survey only takes about 10 minutes. Thank you very much for taking the time to complete this survey and help us better understand security spending in software development.

<ol>

<li>What is the approximate total number of employees in your organization?</li>
a. 1 - 10 
b. 10 - 100 
c. 100 - 500 
d. 500 - 1000 
e. 1000 - 5000 
f. Over 5000 

<li>What market do you serve?</li>
a. Finance 
b. Medical 
c. Energy 
d. Government 
e. Education 
f. Professional Services 
g. Non-profit 
h. Retail 
i. Manufacturing 
j. Hospitality and Tourism 
k. Other (please specify) 

<li>What is your role within the organization?</li>
a. Executive 
b. Security professional 
c. Project manager 
d. Developer 
e. Finance 
f. Sales 
g. Marketing 
h. Other (please specify) 

<li>How important is Web application security to your executive management?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>How important is Web application security generally to your customers?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>Is security a part of your marketing or branding strategy for your product?</li>
a. Yes 
b. No 

<li>Which of the following security personnel does your organization have? (check all that apply)</li>
a. A Chief Information Security Officer or other dedicated security executive on the company’s executive board. 
b. A senior manager or director dedicated to security 
c. Network security engineers 
d. Developers dedicated primarily to security 
e. Quality assurance testers dedicated primarily to security 
f. An Information Security Officer who also has other responsibilities. 
g. None 
h. Don’t know 

<li>Have you suffered a significant and publicized security incident within the last two years?</li>
a. Yes 
b. No 
c. Don't know 

<li>Rank the impact of the following factors on your organization security spending decisions</li>
a. Risk Mitigation 
b. Due Diligence 
c. Incident Response 
d. Compliance 
e. Competitive Advantage 

<li>Does your organization have a specific IT security budget?</li>
a. Yes 
b. No 

<ul>
<li>If yes, Approximately what percentage of your IT security is dedicated towards Web application security?</li>
a. 1 - 5% 
b. 5 - 10% 
c. 10 - 20% 
d. 20 - 50% 
e. Over 50% 
f. Don't know 

<li>If yes, How do you expect your organization’s Web application security spending will change in 2009 in relation to the previous year?</li>
a. Over 20% spending increase 
b. Spending increase up to 20% 
c. Spending decrease less than 20% 
d. Over 20% spending decrease 
e. Don't know 
f. We don’t measure security spending 
</ul>

<li>Does your organization produce software or systems that deal primarily with:</li>
a. Highly sensitive data 
b. Somewhat sensitive data 
c. Not very sensitive data 
d. Depends on who is deploying it 

<li>Which of the following regulations apply to your software (check all that apply)?</li>
a. PCI-DSS 
b. HIPAA 
c. SOX 
d. FERPA 
e. GLBA 
f. Depends on who is deploying it 
g. Other regulations (please specify) 
h. None of the above 
i. Don't know 

<li>Approximately how many Web application developers does your organization employ?</li>
a. 1 - 10 
b. 10 - 50 
c. 50 - 100 
d. 100 - 500 
e. Over 500 

<li>How important is previous security experience when hiring Web application developers?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>Approximately what percentage of your development budget or head count is dedicated to security?</li>
a. Under 2% 
b. 2%-5% 
c. 5%-10% 
d. 10%-15% 
e. Over 15% 
f. Don’t know 

<li>Do your developers undergo software security training? (check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<ul>
<li>If yes, approximately how many of your developers participate?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 

<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. General fund 
e. Varies 
f. Don't know 
</ul>

<li>What security checkpoint reviews are present during the Web application software development life-cycle?</li>
a. At every stage of the development process 
b. During the design phase 
c. During the testing phase 
d. Ad hoc 
e. No security reviews 
f. Don't know 

<ul>
<li>If yes, where is the organizational responsibility for these reviews? (check all that apply)</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<li>How much of your organizations Web application software development is outsourced or subcontracted?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know

<li>How do you review the security of outsourced or subcontracted Web application code? (check all that apply)</li>
a. We don’t review the security 
b. We contractually require adherence to best-practices and/or particular security measures. 
d. We conduct a security review internally 
e. We have an independent third-party firm conduct a security review 
f. Don't know 

<li>How often are independent third-party security reviews performed before deploying a Web application? (check all that apply)</li>
a. Immediately before deployment 
a. During the testing phase 
a. During the design phase 
c. When requested by customers 
d. Never 
e. Don't know 

<ul>
<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<ul>
<li>If budget specified, approximate what percentage of that budget is allocated?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know
</ul>

<li>Do your IT security personnel undergo specialized training? (check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<li>How many of your organizations deployed Web applications have Web application firewalls monitoring of defending them?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know

<ul>
<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<ul>
<li>If budget specified, approximate what percentage of that budget is allocated?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know
</ul>

</ol>

== Additional Survey Questions to Consider ==

== Deleted Questions ==
<ol>
<li>What is the total approximate annual revenue of your organization in USD?</li>
a. Under 1 million 
b. 1 million – 5 million 
c. 5 million- 25 million 
d. 25 million- 100 million 
e. Over 100 million 

<li>Which of the following background checks are conducted when hiring developers? (please check all that apply)</li>
a. Basic criminal background check 
b. Extensive overall background check via third party 
c. Contacting references 
d. None 
e. Don't know 

<li>If you answered yes to the question on external security reviews, what is the approximate annual expenditure (USD) on these reviews?</li>
a. Under $25,000 
b. $25,000- $50,000 
c. $50,000 - $100,000 
d. $100,000 - $250,000 
e. $250,000 - $1,000,000 
f. Over 1 million 

<li>Which of the following sensitive data types do your Web applications process? (check all that apply)</li>
a. Names, addresses, and other personally identifiable information 
b. Credit card information 
c. Health care related information 
d. Financial account information 
e. Intellectual property 
f. Confidential information 
g. Other (please specify) 
</ol>

== Project Status ==
Completing the project description text and finalizing the proposed 25 survey questions.

== Project Contributors ==
The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback.

<ul>
<li>Jeremiah Grossman (CTO, WhiteHat Security)</li>
</ul>

Category:OWASP Security Spending Benchmarks

2008-12-18T20:57:59Z

Jeremiahgrossman:

[[:Category:OWASP Project]] 

== About the Security Spending Benchmarks Project ==

This Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollar and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:

<ul>
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li>
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li>
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li>
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li>
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li>
</ul>

Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the survey answers to address the following questions and many others:

<ul>

<li>What percentage of a Web application development groups headcount is dedicated towards security?</li>
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li>
<li>Where do Web application security budget come from?</li>
<li>How much budget is allocated towards security education?</li>
</ul>

How do the above answers correlate with:

<ul>
<li>Company size</li>
<li>Industry vertical</li>
<li>Sensitivity of the underlying data</li>
<li>Existence of executive level security oversight</li>
<li>Role of security in the company’s software development cycle</li>
</ul>

== (Proposed) 25 Survey Questions ==

This survey is meant to be completed out by organizations who develop, sell, or host Web applications. It is not intended for general software consumers. Respondents do not not need to provide any individually identifiable information and no individual answers will be published. Only aggregate reports will be published. The survey only takes about 10 minutes. Thank you very much for taking the time to complete this survey and help us better understand security spending in software development.

<ol>

<li>What is the approximate total number of employees in your organization?</li>
a. 1 - 10 
b. 10 - 100 
c. 100 - 500 
d. 500 - 1000 
e. 1000 - 5000 
f. Over 5000 

<li>What market do you serve?</li>
a. Finance 
b. Medical 
c. Energy 
d. Government 
e. Education 
f. Professional Services 
g. Non-profit 
h. Retail 
i. Manufacturing 
j. Hospitality and Tourism 
k. Other (please specify) 

<li>What is your role within the organization?</li>
a. Executive 
b. Security professional 
c. Project manager 
d. Developer 
e. Finance 
f. Sales 
g. Marketing 
h. Other (please specify) 

<li>How important is Web application security to your executive management?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>How important is Web application security generally to your customers?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>Is security a part of your marketing or branding strategy for your product?</li>
a. Yes 
b. No 

<li>Which of the following security personnel does your organization have? (check all that apply)</li>
a. A Chief Information Security Officer or other dedicated security executive on the company’s executive board. 
b. A senior manager or director dedicated to security 
c. Network security engineers 
d. Developers dedicated primarily to security 
e. Quality assurance testers dedicated primarily to security 
f. An Information Security Officer who also has other responsibilities. 
g. None 
h. Don’t know 

<li>Have you suffered a significant and publicized security incident within the last two years?</li>
a. Yes 
b. No 
c. Don't know 

<li>Rank the impact of the following factors on your organization security spending decisions</li>
a. Risk Mitigation 
b. Due Diligence 
c. Incident Response 
d. Compliance 
e. Competitive Advantage 

<li>Does your organization have a specific IT security budget?</li>
a. Yes 
b. No 

<ul>
<li>If yes, Approximately what percentage of your IT security is dedicated towards Web application security?</li>
a. 1 - 5% 
b. 5 - 10% 
c. 10 - 20% 
d. 20 - 50% 
e. Over 50% 
f. Don't know 

<li>If yes, How do you expect your organization’s Web application security spending will change in 2009 in relation to the previous year?</li>
a. Over 20% spending increase 
b. Spending increase up to 20% 
c. Spending decrease less than 20% 
d. Over 20% spending decrease 
e. Don't know 
f. We don’t measure security spending 
</ul>

<li>Does your organization produce software or systems that deal primarily with:</li>
a. Highly sensitive data 
b. Somewhat sensitive data 
c. Not very sensitive data 
d. Depends on who is deploying it 

<li>Which of the following regulations apply to your software (check all that apply)?</li>
a. PCI-DSS 
b. HIPAA 
c. SOX 
d. FERPA 
e. GLBA 
f. Depends on who is deploying it 
g. Other regulations (please specify) 
h. None of the above 
i. Don't know 

<li>Approximately how many Web application developers does your organization employ?</li>
a. 1 - 10 
b. 10 - 50 
c. 50 - 100 
d. 100 - 500 
e. Over 500 

<li>How important is previous security experience when hiring Web application developers?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>Approximately what percentage of your development budget or head count is dedicated to security?</li>
a. Under 2% 
b. 2%-5% 
c. 5%-10% 
d. 10%-15% 
e. Over 15% 
f. Don’t know 

<li>Do your developers undergo software security training? (check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<ul>
<li>If yes, approximately how many of your developers participate?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 

<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. General fund 
e. Varies 
f. Don't know 
</ul>

<li>What security checkpoint reviews are present during the Web application software development life-cycle?</li>
a. At every stage of the development process 
b. During the design phase 
c. During the testing phase 
d. Ad hoc 
e. No security reviews 
f. Don't know 

<ul>
<li>If yes, where is the organizational responsibility for these reviews? (check all that apply)</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<li>How much of your organizations Web application software development is outsourced or subcontracted?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know

<li>How do you review the security of outsourced or subcontracted Web application code? (check all that apply)</li>
a. We don’t review the security 
b. We contractually require adherence to best-practices and/or particular security measures. 
d. We conduct a security review internally 
e. We have an independent third-party firm conduct a security review 
f. Don't know 

<li>How often are independent third-party security reviews performed before deploying a Web application? (check all that apply)</li>
a. Immediately before deployment 
a. During the testing phase 
a. During the design phase 
c. When requested by customers 
d. Never 
e. Don't know 

<ul>
<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<ul>
<li>If budget specified, approximate what percentage of that budget is allocated?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know
</ul>

<li>Do your IT security personnel undergo specialized training? (check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<li>How many of your organizations deployed Web applications have Web application firewalls monitoring of defending them?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know

<ul>
<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<ul>
<li>If budget specified, approximate what percentage of that budget is allocated?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know
</ul>

</ol>

== Additional Survey Questions to Consider ==

== Deleted Questions ==
<ol>
<li>What is the total approximate annual revenue of your organization in USD?</li>
a. Under 1 million 
b. 1 million – 5 million 
c. 5 million- 25 million 
d. 25 million- 100 million 
e. Over 100 million 

<li>Which of the following background checks are conducted when hiring developers? (please check all that apply)</li>
a. Basic criminal background check 
b. Extensive overall background check via third party 
c. Contacting references 
d. None 
e. Don't know 

<li>If you answered yes to the question on external security reviews, what is the approximate annual expenditure (USD) on these reviews?</li>
a. Under $25,000 
b. $25,000- $50,000 
c. $50,000 - $100,000 
d. $100,000 - $250,000 
e. $250,000 - $1,000,000 
f. Over 1 million 

<li>Which of the following sensitive data types do your Web applications process? (check all that apply)</li>
a. Names, addresses, and other personally identifiable information 
b. Credit card information 
c. Health care related information 
d. Financial account information 
e. Intellectual property 
f. Confidential information 
g. Other (please specify) 
</ol>

== Project Status ==
Completing the project description text and finalizing the proposed 25 survey questions.

== Project Contributors ==
The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback.

<ul>
<li>Jeremiah Grossman (CTO, WhiteHat Security)</li>
</ul>

Category:OWASP Security Spending Benchmarks

2008-12-18T20:56:46Z

Jeremiahgrossman:

[[:Category:OWASP Project]] 

== About the Security Spending Benchmarks Project ==

This Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollar and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:

<ul>
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li>
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li>
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li>
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li>
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li>
</ul>

Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the survey answers to address the following questions and many others:

<ul>

<li>What percentage of a Web application development groups headcount is dedicated towards security?</li>
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li>
<li>Where do Web application security budget come from?</li>
<li>How much budget is allocated towards security education?</li>
</ul>

How do the above answers correlate with:

<ul>
<li>Company size</li>
<li>Industry vertical</li>
<li>Sensitivity of the underlying data</li>
<li>Existence of executive level security oversight</li>
<li>Role of security in the company’s software development cycle</li>
</ul>

== (Proposed) 25 Survey Questions ==

This survey is meant to be completed out by organizations who develop, sell, or host Web applications. It is not intended for general software consumers. Respondents do not not need to provide any individually identifiable information and no individual answers will be published. Only aggregate reports will be published. The survey only takes about 10 minutes. Thank you very much for taking the time to complete this survey and help us better understand security spending in software development.

<ol>

<li>What is the approximate total number of employees in your organization?</li>
a. 1 - 10 
b. 10 - 100 
c. 100 - 500 
d. 500 - 1000 
e. 1000 - 5000 
f. Over 5000 

<li>What market do you serve?</li>
a. Finance 
b. Medical 
c. Energy 
d. Government 
e. Education 
f. Professional Services 
g. Non-profit 
h. Retail 
i. Manufacturing 
j. Hospitality and Tourism 
k. Other (please specify) 

<li>What is your role within the organization?</li>
a. Executive 
b. Security professional 
c. Project manager 
d. Developer 
e. Finance 
f. Sales 
g. Marketing 
h. Other (please specify) 

<li>How important is Web application security to your executive management?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>How important is Web application security generally to your customers?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>Is security a part of your marketing or branding strategy for your product?</li>
a. Yes 
b. No 

<li>Which of the following security personnel does your organization have? (check all that apply)</li>
a. A Chief Information Security Officer or other dedicated security executive on the company’s executive board. 
b. A senior manager or director dedicated to security 
c. Network security engineers 
d. Developers dedicated primarily to security 
e. Quality assurance testers dedicated primarily to security 
f. An Information Security Officer who also has other responsibilities. 
g. None 
h. Don’t know 

<li>Have you suffered a significant and publicized security incident within the last two years?</li>
a. Yes 
b. No 
c. Don't know 

<li>Rank the impact of the following factors on your organization security spending decisions</li>
a. Risk Mitigation 
b. Due Diligence 
c. Incident Response 
d. Compliance 
e. Competitive Advantage 

<li>Does your organization have a specific IT security budget?</li>
a. Yes 
b. No 

<ul>
<li>If yes, Approximately what percentage of your IT security is dedicated towards Web application security?</li>
a. 1 - 5% 
b. 5 - 10% 
c. 10 - 20% 
d. 20 - 50% 
e. Over 50% 
f. Don't know 

<li>If yes, How do you expect your organization’s Web application security spending will change in 2009 in relation to the previous year?</li>
a. Over 20% spending increase 
b. Spending increase up to 20% 
c. Spending decrease less than 20% 
d. Over 20% spending decrease 
e. Don't know 
f. We don’t measure security spending 
</ul>

<li>Does your organization produce software or systems that deal primarily with:</li>
a. Highly sensitive data 
b. Somewhat sensitive data 
c. Not very sensitive data 
d. Depends on who is deploying it 

<li>Which of the following regulations apply to your software (check all that apply)?</li>
a. PCI-DSS 
b. HIPAA 
c. SOX 
d. FERPA 
e. GLBA 
f. Depends on who is deploying it 
g. Other regulations (please specify) 
h. None of the above 
i. Don't know 

<li>Approximately how many Web application developers does your organization employ?</li>
a. 1 - 10 
b. 10 - 50 
c. 50 - 100 
d. 100 - 500 
e. Over 500 

<li>How important is previous security experience when hiring Web application developers?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>Approximately what percentage of your development groups time or head count is dedicated to security?</li>
a. Under 2% 
b. 2%-5% 
c. 5%-10% 
d. 10%-15% 
e. Over 15% 
f. Don’t know 

<li>Do your developers undergo software security training? (check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<ul>
<li>If yes, approximately how many of your developers participate?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 

<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. General fund 
e. Varies 
f. Don't know 
</ul>

<li>What security checkpoint reviews are present during the Web application software development life-cycle?</li>
a. At every stage of the development process 
b. During the design phase 
c. During the testing phase 
d. Ad hoc 
e. No security reviews 
f. Don't know 

<ul>
<li>If yes, where is the organizational responsibility for these reviews? (check all that apply)</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<li>How much of your organizations Web application software development is outsourced or subcontracted?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know

<li>How do you review the security of outsourced or subcontracted Web application code? (check all that apply)</li>
a. We don’t review the security 
b. We contractually require adherence to best-practices and/or particular security measures. 
d. We conduct a security review internally 
e. We have an independent third-party firm conduct a security review 
f. Don't know 

<li>How often are independent third-party security reviews performed before deploying a Web application? (check all that apply)</li>
a. Immediately before deployment 
a. During the testing phase 
a. During the design phase 
c. When requested by customers 
d. Never 
e. Don't know 

<ul>
<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<ul>
<li>If budget specified, approximate what percentage of that budget is allocated?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know
</ul>

<li>Do your IT security personnel undergo specialized training? (check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<li>How many of your organizations deployed Web applications have Web application firewalls monitoring of defending them?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know

<ul>
<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<ul>
<li>If budget specified, approximate what percentage of that budget is allocated?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know
</ul>

</ol>

== Additional Survey Questions to Consider ==

== Deleted Questions ==
<ol>
<li>What is the total approximate annual revenue of your organization in USD?</li>
a. Under 1 million 
b. 1 million – 5 million 
c. 5 million- 25 million 
d. 25 million- 100 million 
e. Over 100 million 

<li>Which of the following background checks are conducted when hiring developers? (please check all that apply)</li>
a. Basic criminal background check 
b. Extensive overall background check via third party 
c. Contacting references 
d. None 
e. Don't know 

<li>If you answered yes to the question on external security reviews, what is the approximate annual expenditure (USD) on these reviews?</li>
a. Under $25,000 
b. $25,000- $50,000 
c. $50,000 - $100,000 
d. $100,000 - $250,000 
e. $250,000 - $1,000,000 
f. Over 1 million 

<li>Which of the following sensitive data types do your Web applications process? (check all that apply)</li>
a. Names, addresses, and other personally identifiable information 
b. Credit card information 
c. Health care related information 
d. Financial account information 
e. Intellectual property 
f. Confidential information 
g. Other (please specify) 
</ol>

== Project Status ==
Completing the project description text and finalizing the proposed 25 survey questions.

== Project Contributors ==
The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback.

<ul>
<li>Jeremiah Grossman (CTO, WhiteHat Security)</li>
</ul>

Category:OWASP Security Spending Benchmarks

2008-12-18T17:45:25Z

Jeremiahgrossman:

[[:Category:OWASP Project]] 

== About the Security Spending Benchmarks Project ==

This Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollar and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:

<ul>
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li>
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li>
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li>
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li>
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li>
</ul>

Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the survey answers to address the following questions and many others:

<ul>

<li>What percentage of a Web application development groups headcount is dedicated towards security?</li>
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li>
<li>Where do Web application security budget come from?</li>
<li>How much budget is allocated towards security education?</li>
</ul>

How do the above answers correlate with:

<ul>
<li>Company size</li>
<li>Industry vertical</li>
<li>Sensitivity of the underlying data</li>
<li>Existence of executive level security oversight</li>
<li>Role of security in the company’s software development cycle</li>
</ul>

== (Proposed) 25 Survey Questions ==

This survey is meant to be completed out by organizations who develop, sell, or host Web applications. It is not intended for general software consumers. Respondents do not not need to provide any individually identifiable information and no individual answers will be published. Only aggregate reports will be published. The survey only takes about 10 minutes. Thank you very much for taking the time to complete this survey and help us better understand security spending in software development.

<ol>

<li>What is the approximate total number of employees in your organization?</li>
a. 1 - 10 
b. 10 - 100 
c. 100 - 500 
d. 500 - 1000 
e. 1000 - 5000 
f. Over 5000 

<li>What market do you serve?</li>
a. Finance 
b. Medical 
c. Energy 
d. Government 
e. Education 
f. Professional Services 
g. Non-profit 
h. Retail 
i. Manufacturing 
j. Hospitality and Tourism 
k. Other (please specify) 

<li>What is your role within the organization?</li>
a. Executive 
b. Security professional 
c. Project manager 
d. Developer 
e. Finance 
f. Sales 
g. Marketing 
h. Other (please specify) 

<li>How important is Web application security to your executive management?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>How important is Web application security generally to your customers?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>Is security a part of your marketing or branding strategy for your product?</li>
a. Yes 
b. No 

<li>Which of the following security personnel does your organization have? (check all that apply)</li>
a. A Chief Information Security Officer or other dedicated security executive on the company’s executive board. 
b. A senior manager or director dedicated to security 
c. Network security engineers 
d. Developers dedicated primarily to security 
e. Quality assurance testers dedicated primarily to security 
f. An Information Security Officer who also has other responsibilities. 
g. None 
h. Don’t know 

<li>Have you suffered a significant and publicized security incident within the last two years?</li>
a. Yes 
b. No 
c. Don't know 

<li>Rank the impact of the following factors on your organization security spending decisions</li>
a. Risk Mitigation 
b. Due Diligence 
c. Incident Response 
d. Compliance 
e. Competitive Advantage 

<li>How do you expect your organization’s Web application security spending will change in 2009 in relation to the previous year?</li>
a. Over 20% spending increase 
b. Spending increase up to 20% 
c. Spending decrease less than 20% 
d. Over 20% spending decrease 
e. We don’t know yet 
f. We don’t measure security spending 

<li>Approximately what percentage of your organizations overall IT Security budget is dedicated towards Web application security?</li>
a. 1 - 5% 
a. 5 - 10% 
a. 10 - 20% 
a. 20 - 50% 
a. Over 50% 

<li>Does your organization produce software or systems that deal primarily with:</li>
a. Highly sensitive data 
b. Somewhat sensitive data 
c. Not very sensitive data 
d. Depends on who is deploying it 

<li>Which of the following regulations apply to your software (check all that apply)?</li>
a. PCI-DSS 
b. HIPAA 
c. SOX 
d. FERPA 
e. GLBA 
f. Depends on who is deploying it 
g. Other regulations (please specify) 
h. None of the above 
i. Don't know 

<li>Approximately how many Web application developers does your organization employ?</li>
a. 1 - 10 
b. 10 - 50 
c. 50 - 100 
d. 100 - 500 
e. Over 500 

<li>How important is previous security experience when hiring Web application developers?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>Approximately what percentage of your development groups time or head count is dedicated to security?</li>
a. Under 2% 
b. 2%-5% 
c. 5%-10% 
d. 10%-15% 
e. Over 15% 
f. Don’t know 

<li>Do your developers undergo software security training? (check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<ul>
<li>If yes, approximately how many of your developers participate?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 

<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. General fund 
e. Varies 
f. Don't know 
</ul>

<li>What security checkpoint reviews are present during the Web application software development life-cycle?</li>
a. At every stage of the development process 
b. During the design phase 
c. During the testing phase 
d. Ad hoc 
e. No security reviews 
f. Don't know 

<ul>
<li>If yes, where is the organizational responsibility for these reviews? (check all that apply)</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<li>How much of your organizations Web application software development is outsourced or subcontracted?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know

<li>How do you review the security of outsourced or subcontracted Web application code? (check all that apply)</li>
a. We don’t review the security 
b. We contractually require adherence to best-practices and/or particular security measures. 
d. We conduct a security review internally 
e. We have an independent third-party firm conduct a security review 
f. Don't know 

<li>How often are independent third-party security reviews performed before deploying a Web application? (check all that apply)</li>
a. Immediately before deployment 
a. During the testing phase 
a. During the design phase 
c. When requested by customers 
d. Never 
e. Don't know 

<ul>
<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<ul>
<li>If budget specified, approximate what percentage of that budget is allocated?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know
</ul>

<li>Do your IT security personnel undergo specialized training? (check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<li>How many of your organizations deployed Web applications have Web application firewalls monitoring of defending them?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know

<ul>
<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<ul>
<li>If budget specified, approximate what percentage of that budget is allocated?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know
</ul>

</ol>

== Additional Survey Questions to Consider ==

== Deleted Questions ==
<ol>
<li>What is the total approximate annual revenue of your organization in USD?</li>
a. Under 1 million 
b. 1 million – 5 million 
c. 5 million- 25 million 
d. 25 million- 100 million 
e. Over 100 million 

<li>Which of the following background checks are conducted when hiring developers? (please check all that apply)</li>
a. Basic criminal background check 
b. Extensive overall background check via third party 
c. Contacting references 
d. None 
e. Don't know 

<li>If you answered yes to the question on external security reviews, what is the approximate annual expenditure (USD) on these reviews?</li>
a. Under $25,000 
b. $25,000- $50,000 
c. $50,000 - $100,000 
d. $100,000 - $250,000 
e. $250,000 - $1,000,000 
f. Over 1 million 

<li>Which of the following sensitive data types do your Web applications process? (check all that apply)</li>
a. Names, addresses, and other personally identifiable information 
b. Credit card information 
c. Health care related information 
d. Financial account information 
e. Intellectual property 
f. Confidential information 
g. Other (please specify) 
</ol>

== Project Status ==
Completing the project description text and finalizing the proposed 25 survey questions.

== Project Contributors ==
The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback.

<ul>
<li>Jeremiah Grossman (CTO, WhiteHat Security)</li>
</ul>

Category:OWASP Security Spending Benchmarks

2008-12-18T17:43:38Z

Jeremiahgrossman:

[[:Category:OWASP Project]] 

== About the Security Spending Benchmarks Project ==

This Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollar and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:

<ul>
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li>
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li>
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li>
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li>
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li>
</ul>

Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the survey answers to address the following questions and many others:

<ul>

<li>What percentage of a Web application development groups headcount is dedicated towards security?</li>
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li>
<li>Where do Web application security budget come from?</li>
<li>How much budget is allocated towards security education?</li>
</ul>

How do the above answers correlate with:

<ul>
<li>Company size</li>
<li>Industry vertical</li>
<li>Sensitivity of the underlying data</li>
<li>Existence of executive level security oversight</li>
<li>Role of security in the company’s software development cycle</li>
</ul>

== (Proposed) 25 Survey Questions ==

This survey is meant to be completed out by organizations who develop, sell, or host Web applications. It is not intended for general software consumers. Respondents do not not need to provide any individually identifiable information and no individual answers will be published. Only aggregate reports will be published. The survey only takes about 10 minutes. Thank you very much for taking the time to complete this survey and help us better understand security spending in software development.

<ol>

<li>What is the approximate total number of employees in your organization?</li>
a. 1 - 10 
b. 10 - 100 
c. 100 - 500 
d. 500 - 1000 
e. 1000 - 5000 
f. Over 5000 

<li>What market do you serve?</li>
a. Finance 
b. Medical 
c. Energy 
d. Government 
e. Education 
f. Professional Services 
g. Non-profit 
h. Retail 
i. Manufacturing 
j. Hospitality and Tourism 
k. Other (please specify) 

<li>What is your role within the organization?</li>
a. Executive 
b. Security professional 
c. Project manager 
d. Developer 
e. Finance 
f. Sales 
g. Marketing 
h. Other (please specify) 

<li>How important is Web application security to your executive management?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>How important is Web application security generally to your customers?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>Is security a part of your marketing or branding strategy for your product?</li>
a. Yes 
b. No 

<li>Which of the following security personnel does your organization have? (check all that apply)</li>
a. A Chief Information Security Officer or other dedicated security executive on the company’s executive board. 
b. A senior manager or director dedicated to security 
c. Network security engineers 
d. Developers dedicated primarily to security 
e. Quality assurance testers dedicated primarily to security 
f. An Information Security Officer who also has other responsibilities. 
g. None 
h. Don’t know 

<li>Have you suffered a significant and publicized security incident within the last two years?</li>
a. Yes 
b. No 
c. Don't know 

<li>Rank the impact of the following factors on your organization security spending decisions</li>
a. Risk Mitigation 
b. Due Diligence 
c. Incident Response 
d. Compliance 
e. Competitive Advantage 

<li>How do you expect your organization’s Web application security spending will change in 2009 in relation to the previous year?</li>
a. Over 20% spending increase 
b. Spending increase up to 20% 
c. Spending decrease less than 20% 
d. Over 20% spending decrease 
e. We don’t know yet 
f. We don’t measure security spending 

<li>Approximately what percentage of your organizations overall IT Security budget is dedicated towards Web application security?</li>
a. 1 - 5% 
a. 5 - 10% 
a. 10 - 20% 
a. 20 - 50% 
a. Over 50% 

<li>Does your organization produce software or systems that deal primarily with:</li>
a. Highly sensitive data 
b. Somewhat sensitive data 
c. Not very sensitive data 
d. Depends on who is deploying it 

<li>Which of the following regulations apply to your software (check all that apply)?</li>
a. PCI-DSS 
b. HIPAA 
c. SOX 
d. FERPA 
e. GLBA 
f. Depends on who is deploying it 
g. Other regulations (please specify) 
h. None of the above 
i. Don't know 

<li>Approximately how many Web application developers does your organization employ?</li>
a. 1 - 10 
b. 10 - 50 
c. 50 - 100 
d. 100 - 500 
e. Over 500 

<li>How important is previous security experience when hiring Web application developers?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>Approximately what percentage of your development groups time or head count is dedicated to security?</li>
a. Under 2% 
b. 2%-5% 
c. 5%-10% 
d. 10%-15% 
e. Over 15% 
f. Don’t know 

<li>Do your developers undergo software security training? (check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<ul>
<li>If yes, approximately how many of your developers participate?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 

<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. General fund 
e. Varies 
f. Don't know 
</ul>

<li>What security checkpoint reviews are present during the Web application software development life-cycle?</li>
a. At every stage of the development process 
b. During the design phase 
c. During the testing phase 
d. Ad hoc 
e. No security reviews 
f. Don't know 

<ul>
<li>If yes, where is the organizational responsibility for these reviews? (check all that apply)</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<li>How much of your organizations Web application software development is outsourced or subcontracted?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know

<li>How do you review the security of outsourced or subcontracted Web application code? (check all that apply)</li>
a. We don’t review the security 
b. We contractually require adherence to best-practices and/or particular security measures. 
d. We conduct a security review internally 
e. We have an independent third-party firm conduct a security review 
f. Don't know 

<li>How often are independent third-party security reviews performed before deploying a Web application? (check all that apply)</li>
a. Immediately before deployment 
a. During the testing phase 
a. During the design phase 
c. When requested by customers 
d. Never 
e. Don't know 

<ul>
<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<ul>
<li>If budget specified, approximate what percentage of that budget is allocated?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know
</ul>

<li>Do your IT security personnel undergo specialized training? (check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<li>How many of your organizations deployed Web applications have Web application firewalls monitoring of defending them?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know

<ul>
<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<ul>
<li>If budget specified, approximate what percentage of that budget is allocated?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know
</ul>

</ol>

== Additional Survey Questions to Consider ==

== Deleted Questions ==
<ol>
<li>What is the total approximate annual revenue of your organization in USD?</li>
a. Under 1 million 
b. 1 million – 5 million 
c. 5 million- 25 million 
d. 25 million- 100 million 
e. Over 100 million 

<li>Which of the following background checks are conducted when hiring developers? (please check all that apply)</li>
a. Basic criminal background check 
b. Extensive overall background check via third party 
c. Contacting references 
d. None 
e. Don't know 

<li>If you answered yes to the question on external security reviews, what is the approximate annual expenditure (USD) on these reviews?</li>
a. Under $25,000 
b. $25,000- $50,000 
c. $50,000 - $100,000 
d. $100,000 - $250,000 
e. $250,000 - $1,000,000 
f. Over 1 million 

<li>Which of the following sensitive data types do your Web applications process? (check all that apply)</li>
a. Names, addresses, and other personally identifiable information 
b. Credit card information 
c. Health care related information 
d. Financial account information 
e. Intellectual property 
f. Confidential information 
g. Other (please specify) 
</ol>

== Project Status ==
Completing the project description text and finalizing the proposed 25 survey questions.

== Project Contributors ==
The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback.

<ul>
<li>Jeremiah Grossman (CTO, WhiteHat Security)</li>
</ul>

Category:OWASP Security Spending Benchmarks

2008-12-18T17:41:41Z

Jeremiahgrossman:

[[:Category:OWASP Project]] 

== About the Security Spending Benchmarks Project ==

This Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollar and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:

<ul>
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li>
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li>
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li>
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li>
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li>
</ul>

Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the survey answers to address the following questions and many others:

<ul>

<li>What percentage of a Web application development groups headcount is dedicated towards security?</li>
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li>
<li>Where do Web application security budget come from?</li>
<li>How much budget is allocated towards security education?</li>
</ul>

How do the above answers correlate with:

<ul>
<li>Company size</li>
<li>Industry vertical</li>
<li>Sensitivity of the underlying data</li>
<li>Existence of executive level security oversight</li>
<li>Role of security in the company’s software development cycle</li>
</ul>

== (Proposed) 25 Survey Questions ==

This survey is meant to be completed out by organizations who develop, sell, or host Web applications. It is not intended for general software consumers. Respondents do not not need to provide any individually identifiable information and no individual answers will be published. Only aggregate reports will be published. The survey only takes about 10 minutes. Thank you very much for taking the time to complete this survey and help us better understand security spending in software development.

<ol>

<li>What is the approximate total number of employees in your organization?</li>
a. 1 - 10 
b. 10 - 100 
c. 100 - 500 
d. 500 - 1000 
e. 1000 - 5000 
f. Over 5000 

<li>What market do you serve?</li>
a. Finance 
b. Medical 
c. Energy 
d. Government 
e. Education 
f. Professional Services 
g. Non-profit 
h. Retail 
i. Manufacturing 
j. Hospitality and Tourism 
k. Other (please specify) 

<li>What is your role within the organization?</li>
a. Executive 
b. Security professional 
c. Project manager 
d. Developer 
e. Finance 
f. Sales 
g. Marketing 
h. Other (please specify) 

<li>How important is Web application security to your executive management?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>How important is Web application security generally to your customers?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>Is security a part of your marketing or branding strategy for your product?</li>
a. Yes 
b. No 

<li>Which of the following security personnel does your organization have? (check all that apply)</li>
a. A Chief Information Security Officer or other dedicated security executive on the company’s executive board. 
b. A senior manager or director dedicated to security 
c. Network security engineers 
d. Developers dedicated primarily to security 
e. Quality assurance testers dedicated primarily to security 
f. An Information Security Officer who also has other responsibilities. 
g. None 
h. Don’t know 

<li>Have you suffered a significant and publicized security incident within the last two years?</li>
a. Yes 
b. No 
c. Don't know 

<li>Rank the impact of the following factors on your organization security spending decisions</li>
a. Risk Mitigation 
b. Due Diligence 
c. Incident Response 
d. Compliance 
e. Competitive Advantage 

<li>How do you expect your organization’s Web application security spending will change in 2009 in relation to the previous year?</li>
a. Over 20% spending increase 
b. Spending increase up to 20% 
c. Spending decrease less than 20% 
d. Over 20% spending decrease 
e. We don’t know yet 
f. We don’t measure security spending 

<li>Approximately what percentage of your organizations overall IT Security budget is dedicated towards Web application security?</li>
a. 1 - 5% 
a. 5 - 10% 
a. 10 - 20% 
a. 20 - 50% 
a. Over 50% 

<li>Does your organization produce software or systems that deal primarily with:</li>
a. Highly sensitive data 
b. Somewhat sensitive data 
c. Not very sensitive data 
d. Depends on who is deploying it 

<li>Which of the following regulations apply to your software (check all that apply)?</li>
a. PCI-DSS 
b. HIPAA 
c. SOX 
d. FERPA 
e. GLBA 
f. Depends on who is deploying it 
g. Other regulations (please specify) 
h. None of the above 
i. Don't know 

<li>Approximately how many Web application developers does your organization employ?</li>
a. 1 - 10 
b. 10 - 50 
c. 50 - 100 
d. 100 - 500 
e. Over 500 

<li>How important is previous security experience when hiring Web application developers?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>Approximately what percentage of your development groups time or head count is dedicated to security?</li>
a. Under 2% 
b. 2%-5% 
c. 5%-10% 
d. 10%-15% 
e. Over 15% 
f. Don’t know 

<li>Do your developers undergo software security training? (check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<ul>
<li>If yes, approximately how many of your developers participate?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 

<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. General fund 
e. Varies 
f. Don't know 
</ul>

<li>What security checkpoint reviews are present during the Web application software development life-cycle?</li>
a. At every stage of the development process 
b. During the design phase 
c. During the testing phase 
d. Ad hoc 
e. No security reviews 
f. Don't know 

<li>If yes, where is the organizational responsibility for these reviews? (check all that apply)</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<li>How much of your organizations Web application software development is outsourced or subcontracted?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know

<li>How do you review the security of outsourced or subcontracted Web application code? (check all that apply)</li>
a. We don’t review the security 
b. We contractually require adherence to best-practices and/or particular security measures. 
d. We conduct a security review internally 
e. We have an independent third-party firm conduct a security review 
f. Don't know 

<li>How often are independent third-party security reviews performed before deploying a Web application? (check all that apply)</li>
a. Immediately before deployment 
a. During the testing phase 
a. During the design phase 
c. When requested by customers 
d. Never 
e. Don't know 

<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<li>If budget specified, approximate what percentage of that budget is allocated?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know
</ul>

<li>Do your IT security personnel undergo specialized training? (check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<li>How many of your organizations deployed Web applications have Web application firewalls monitoring of defending them?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know

<li>If yes, out of what budget are the costs allocated?</li>
a. Development 
b. Q&A 
c. IT Security 
d. Internal audit 
e. Varies 
f. Don't know 
</ul>

<li>If budget specified, approximate what percentage of that budget is allocated?</li>
a. All of almost all 
b. Most 
c. About half 
d. Some 
e. None or very little 
f. Don't know
</ul>

</ol>

== Additional Survey Questions to Consider ==

== Deleted Questions ==
<ol>
<li>What is the total approximate annual revenue of your organization in USD?</li>
a. Under 1 million 
b. 1 million – 5 million 
c. 5 million- 25 million 
d. 25 million- 100 million 
e. Over 100 million 

<li>Which of the following background checks are conducted when hiring developers? (please check all that apply)</li>
a. Basic criminal background check 
b. Extensive overall background check via third party 
c. Contacting references 
d. None 
e. Don't know 

<li>If you answered yes to the question on external security reviews, what is the approximate annual expenditure (USD) on these reviews?</li>
a. Under $25,000 
b. $25,000- $50,000 
c. $50,000 - $100,000 
d. $100,000 - $250,000 
e. $250,000 - $1,000,000 
f. Over 1 million 

<li>Which of the following sensitive data types do your Web applications process? (check all that apply)</li>
a. Names, addresses, and other personally identifiable information 
b. Credit card information 
c. Health care related information 
d. Financial account information 
e. Intellectual property 
f. Confidential information 
g. Other (please specify) 
</ol>

== Project Status ==
Completing the project description text and finalizing the proposed 25 survey questions.

== Project Contributors ==
The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback.

<ul>
<li>Jeremiah Grossman (CTO, WhiteHat Security)</li>
</ul>

Category:OWASP Security Spending Benchmarks

2008-12-18T17:04:16Z

Jeremiahgrossman:

[[:Category:OWASP Project]] 

== About the Security Spending Benchmarks Project ==

This Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollar and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:

<ul>
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li>
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li>
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li>
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li>
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li>
</ul>

Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the survey answers to address the following questions and many others:

<ul>

<li>What percentage of a Web application development groups headcount is dedicated towards security?</li>
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li>
<li>Where do Web application security budget come from?</li>
<li>How much budget is allocated towards security education?</li>
</ul>

How do the above answers correlate with:

<ul>
<li>Company size</li>
<li>Industry vertical</li>
<li>Sensitivity of the underlying data</li>
<li>Existence of executive level security oversight</li>
<li>Role of security in the company’s software development cycle</li>
</ul>

== (Proposed) 25 Survey Questions ==

This survey is meant to be completed out by organizations who develop, sell, or host Web applications. It is not intended for general software consumers. Respondents do not not need to provide any individually identifiable information and no individual answers will be published. Only aggregate reports will be published. The survey only takes about 10 minutes. Thank you very much for taking the time to complete this survey and help us better understand security spending in software development.

<ol>

<li>What is the approximate total number of employees in your organization?</li>
a. 1 - 10 
b. 10 - 100 
c. 100 - 500 
d. 500 - 1000 
e. 1000 - 5000 
f. Over 5000 

<li>What market do you serve?</li>
a. Finance 
b. Medical 
c. Energy 
d. Government 
e. Education 
f. Professional Services 
g. Non-profit 
h. Retail 
i. Manufacturing 
j. Hospitality and Tourism 
k. Other (please specify) 

<li>What is your role within the organization?</li>
a. Executive 
b. Security professional 
c. Project manager 
d. Developer 
e. Finance 
f. Sales 
g. Marketing 
h. Other (please specify) 

<li>How important is Web application security to your executive management?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>How important is Web application security generally to your customers?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>Is security a part of your marketing or branding strategy for your product?</li>
a. Yes 
b. No 

<li>Which of the following security personnel does your organization have? (check all that apply)</li>
a. A Chief Information Security Officer or other dedicated security executive on the company’s executive board. 
b. A senior manager or director dedicated to security 
c. Network security engineers 
d. Developers dedicated primarily to security 
e. Quality assurance testers dedicated primarily to security 
f. An Information Security Officer who also has other responsibilities. 
g. None 
h. Don’t know 

<li>Have you suffered a significant and publicized security incident within the last two years?</li>
a. Yes 
b. No 
c. Don't know 

<li>Approximately how many developers does your organization employ?</li>
a. 1 - 10 
b. 10 - 50 
c. 50 - 100 
d. 100 - 500 
e. Over 500 

<li>Rank the impact of the following factors on your organization security spending decisions</li>
a. Risk Mitigation 
b. Due Diligence 
c. Incident Response 
d. Compliance 
e. Competitive Advantage 

<li>How much of your software development is outsourced or subcontracted?</li>
a. None 
b. Some 
c. About half 
d. Significant portion 
e. All or almost all 
f. Don't know

<li>How do you review the security of outsourced or subcontracted code? (please check all that apply)</li>
a. We don’t review the security 
b. We contractually require adherence to best-practices and/or particular security measures. 
d. We conduct a security review internally 
e. We have an independent third-party firm conduct a security review 
f. Don't know 

<li>Do your developers undergo software security training? (please check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<li>How important is previous security experience when hiring developers?</li>
a. Very important 
b. Somewhat important 
c. Nice to have but not a priority 
d. Not a factor in hiring 
e. Don't know 

<li>Do you have internal security checkpoints during the software development life-cycle? (please check all that apply)</li>
a. Yes, at every stage of the development cycle 
b. Yes, during the design phase 
c. Yes, during the testing phase 
d. No 
e. Don't know 

<li> If you answered yes to the question on internal security review, where is the organizational responsibility for this review? (please check all that apply)</li>
a. Within the development team 
b. Within the QA team 
c. Within a security team 
d. Within the internal audit team 
e. Don’t know 

<li>Do you perform independent third-party security reviews before deploying a Web application?</li>
a. Every web application undergoes an external review before deployment 
b. Only security critical applications undergo an external review 
c. Only when requested by customers 
d. We never perform external security reviews 
e. Don't know 

<li>If you answered yes to the question on external security reviews, how often do you engage external security firms? (check all that apply)</li>
a. Once at the design phase 
b. When making important security choices 
c. Ad hoc, as needed 
d. Prior to release 

<li>If you answered yes to the question on external security reviews, what is the approximate annual expenditure (USD) on these reviews?</li>
a. Under $25,000 
b. $25,000- $50,000 
c. $50,000 - $100,000 
d. $100,000 - $250,000 
e. $250,000 - $1,000,000 
f. Over 1 million 

<li>Does the costs of these security reviews come from: (check all that apply)</li>
a. The development budget 
b. The Q&A budget 
c. A security budget 
d. A general budget 
e. It varies 
f. Don’t know 

<li>What percentage of your total developer’s time is directly devoted to security activities? (code reviews, meetings, etc)</li>
a. Under 2% 
b. 2%-5% 
c. 5%-10% 
d. 10%-15% 
e. Over 15% 
f. I don’t know - we don’t measure time in that way 

<li>Which of the following regulations apply to your software (check all that apply)?</li>
a. PCI 
b. HIPAA 
c. SOX 
d. FERPA 
e. Depends on who is deploying it 
f. Other regulations (please specify) 
g. None of the above 
h. Don't know 

<li>Does your organization produce software or systems that deal primarily with:</li>
a. Highly sensitive data 
b. Somewhat sensitive data 
c. Not very sensitive data 
d. Depends on who is deploying it 

<li>How do you think your organization’s security spending in 2009 will change in relation to 2008?</li>
a. We will spend over 20% more in 2009 than 2008 
b. We will spend between up to 20% more in 2009 and 2008 
c. We will spend up to 20% less in 2009 than 2008 
d. We will spend over 20% less in 2009 than 2008 
e. We don’t know yet how much we will spend in 2009 
f. We don’t measure security spending 
</ol>

== Additional Survey Questions to Consider ==

<ol>
<li>Please rank how much the following drive your organization budgeting decisions</li>
- Risk Mitigation 
- Due Diligence 
- Incident Response 
- Regulatory Compliance 
- Competitive Advantage 
</ol>

== Deleted Questions ==
<ol>
<li>What is the total approximate annual revenue of your organization in USD?</li>
a. Under 1 million 
b. 1 million – 5 million 
c. 5 million- 25 million 
d. 25 million- 100 million 
e. Over 100 million 

<li>Which of the following background checks are conducted when hiring developers? (please check all that apply)</li>
a. Basic criminal background check 
b. Extensive overall background check via third party 
c. Contacting references 
d. None 
e. Don't know 

<li>Which of the following sensitive data types do your Web applications process? (check all that apply)</li>
a. Names, addresses, and other personally identifiable information 
b. Credit card information 
c. Health care related information 
d. Financial account information 
e. Intellectual property 
f. Confidential information 
g. Other (please specify) 
</ol>
== Project Status ==
Completing the project description text and finalizing the proposed 25 survey questions.

== Project Contributors ==
The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback.

<ul>
<li>Jeremiah Grossman (CTO, WhiteHat Security)</li>
</ul>

Category:OWASP Security Spending Benchmarks

2008-12-18T17:02:47Z

Jeremiahgrossman:

[[:Category:OWASP Project]] 

== About the Security Spending Benchmarks Project ==

This Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollar and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:

<ul>
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li>
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li>
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li>
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li>
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li>
</ul>

Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the survey answers to address the following questions and many others:

<ul>

<li>What percentage of a Web application development groups headcount is dedicated towards security?</li>
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li>
<li>Where do Web application security budget come from?</li>
<li>How much budget is allocated towards security education?</li>
</ul>

How do the above answers correlate with:

<ul>
<li>Company size</li>
<li>Industry vertical</li>
<li>Sensitivity of the underlying data</li>
<li>Existence of executive level security oversight</li>
<li>Role of security in the company’s software development cycle</li>
</ul>

== (Proposed) 25 Survey Questions ==

This survey is meant to be completed out by organizations who develop, sell, or host Web applications. It is not intended for general software consumers. Respondents do not not need to provide any individually identifiable information and no individual answers will be published. Only aggregate reports will be published. The survey only takes about 10 minutes. Thank you very much for taking the time to complete this survey and help us better understand security spending in software development.

<ol>

<li>What is the approximate total number of employees in your organization?</li>
a. 1 - 10 
b. 10 - 100 
c. 100 - 500 
d. 500 - 1000 
e. 1000 - 5000 
f. Over 5000 

<li>What market do you serve?</li>
a. Finance 
b. Medical 
c. Energy 
d. Government 
e. Education 
f. Professional Services 
g. Non-profit 
h. Retail 
i. Manufacturing 
j. Hospitality and Tourism 
k. Other (please specify) 

<li>What is your role within the organization?</li>
a. Executive 
b. Security professional 
c. Project manager 
d. Developer 
e. Finance 
f. Sales 
g. Marketing 
h. Other (please specify) 

<li>How important is Web application security to your executive management?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>How important is Web application security generally to your customers?</li>
a. Critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 
f. Don't know 

<li>Is security a part of your marketing or branding strategy for your product?</li>
a. Yes 
b. No 

<li>Which of the following security personnel does your organization have? (check all that apply)</li>
a. A Chief Information Security Officer or other dedicated security executive on the company’s executive board. 
b. A senior manager or director dedicated to security 
c. Network security engineers 
d. Developers dedicated primarily to security 
e. Quality assurance testers dedicated primarily to security 
f. An Information Security Officer who also has other responsibilities. 
g. None 
h. Don’t know 

<li>Have you suffered a significant and publicized security incident within the last two years?</li>
a. Yes 
b. No 
c. Don't know 

<li>Approximately how many developers does your organization employ?</li>
a. 1 - 10 
b. 10 - 50 
c. 50 - 100 
d. 100 - 500 
e. Over 500 

<li>How much of your software development is outsourced or subcontracted?</li>
a. None 
b. Some 
c. About half 
d. Significant portion 
e. All or almost all 
f. Don't know

<li>How do you review the security of outsourced or subcontracted code? (please check all that apply)</li>
a. We don’t review the security 
b. We contractually require adherence to best-practices and/or particular security measures. 
d. We conduct a security review internally 
e. We have an independent third-party firm conduct a security review 
f. Don't know 

<li>Do your developers undergo software security training? (please check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<li>How important is previous security experience when hiring developers?</li>
a. Very important 
b. Somewhat important 
c. Nice to have but not a priority 
d. Not a factor in hiring 
e. Don't know 

<li>Do you have internal security checkpoints during the software development life-cycle? (please check all that apply)</li>
a. Yes, at every stage of the development cycle 
b. Yes, during the design phase 
c. Yes, during the testing phase 
d. No 
e. Don't know 

<li> If you answered yes to the question on internal security review, where is the organizational responsibility for this review? (please check all that apply)</li>
a. Within the development team 
b. Within the QA team 
c. Within a security team 
d. Within the internal audit team 
e. Don’t know 

<li>Do you perform independent third-party security reviews before deploying a Web application?</li>
a. Every web application undergoes an external review before deployment 
b. Only security critical applications undergo an external review 
c. Only when requested by customers 
d. We never perform external security reviews 
e. Don't know 

<li>If you answered yes to the question on external security reviews, how often do you engage external security firms? (check all that apply)</li>
a. Once at the design phase 
b. When making important security choices 
c. Ad hoc, as needed 
d. Prior to release 

<li>If you answered yes to the question on external security reviews, what is the approximate annual expenditure (USD) on these reviews?</li>
a. Under $25,000 
b. $25,000- $50,000 
c. $50,000 - $100,000 
d. $100,000 - $250,000 
e. $250,000 - $1,000,000 
f. Over 1 million 

<li>Does the costs of these security reviews come from: (check all that apply)</li>
a. The development budget 
b. The Q&A budget 
c. A security budget 
d. A general budget 
e. It varies 
f. Don’t know 

<li>What percentage of your total developer’s time is directly devoted to security activities? (code reviews, meetings, etc)</li>
a. Under 2% 
b. 2%-5% 
c. 5%-10% 
d. 10%-15% 
e. Over 15% 
f. I don’t know - we don’t measure time in that way 

<li>Which of the following regulations apply to your software (check all that apply)?</li>
a. PCI 
b. HIPAA 
c. SOX 
d. FERPA 
e. Depends on who is deploying it 
f. Other regulations (please specify) 
g. None of the above 
h. Don't know 

<li>Does your organization produce software or systems that deal primarily with:</li>
a. Highly sensitive data 
b. Somewhat sensitive data 
c. Not very sensitive data 
d. Depends on who is deploying it 

<li>How do you think your organization’s security spending in 2009 will change in relation to 2008?</li>
a. We will spend over 20% more in 2009 than 2008 
b. We will spend between up to 20% more in 2009 and 2008 
c. We will spend up to 20% less in 2009 than 2008 
d. We will spend over 20% less in 2009 than 2008 
e. We don’t know yet how much we will spend in 2009 
f. We don’t measure security spending 
</ol>

== Additional Survey Questions to Consider ==

<ol>
<li>Please rank how much the following drive your organization budgeting decisions</li>
- Risk Mitigation 
- Due Diligence 
- Incident Response 
- Regulatory Compliance 
- Competitive Advantage 
</ol>

== Deleted Questions ==
<ol>
<li>What is the total approximate annual revenue of your organization in USD?</li>
a. Under 1 million 
b. 1 million – 5 million 
c. 5 million- 25 million 
d. 25 million- 100 million 
e. Over 100 million 

<li>Which of the following background checks are conducted when hiring developers? (please check all that apply)</li>
a. Basic criminal background check 
b. Extensive overall background check via third party 
c. Contacting references 
d. None 
e. Don't know 

<li>Which of the following sensitive data types do your Web applications process? (check all that apply)</li>
a. Names, addresses, and other personally identifiable information 
b. Credit card information 
c. Health care related information 
d. Financial account information 
e. Intellectual property 
f. Confidential information 
g. Other (please specify) 
</ol>
== Project Status ==
Completing the project description text and finalizing the proposed 25 survey questions.

== Project Contributors ==
The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback.

<ul>
<li>Jeremiah Grossman (CTO, WhiteHat Security)</li>
</ul>

Category:OWASP Security Spending Benchmarks

2008-12-18T16:55:13Z

Jeremiahgrossman:

[[:Category:OWASP Project]] 

== About the Security Spending Benchmarks Project ==

This Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollar and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:

<ul>
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li>
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li>
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li>
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li>
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li>
</ul>

Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the survey answers to address the following questions and many others:

<ul>

<li>What percentage of a Web application development groups headcount is dedicated towards security?</li>
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li>
<li>Where do Web application security budget come from?</li>
<li>How much budget is allocated towards security education?</li>
</ul>

How do the above answers correlate with:

<ul>
<li>Company size</li>
<li>Industry vertical</li>
<li>Sensitivity of the underlying data</li>
<li>Existence of executive level security oversight</li>
<li>Role of security in the company’s software development cycle</li>
</ul>

== (Proposed) 25 Survey Questions ==

This survey is meant to be completed out by organizations who develop, sell, or host Web applications. It is not intended for general software consumers. Respondents do not not need to provide any individually identifiable information and no individual answers will be published. Only aggregate reports will be published. The survey only takes about 10 minutes. Thank you very much for taking the time to complete this survey and help us better understand security spending in software development.

<ol>

<li>What is the approximate total number of employees in your organization?</li>
a. 1 - 10 
b. 10 - 100 
c. 100 - 500 
d. 500 - 1000 
e. 1000-5000 
f. Over 5000 

<li>What market do you serve?</li>
a. Finance 
b. Medical 
c. Energy 
d. Government 
e. Education 
f. Professional Services 
g. Non-profit 
h. Retail 
i. Manufacturing 
j. Hospitality and Tourism 
k. Other (please specify) 

<li>What is your role within the organization?</li>
a. Executive 
b. Security professional 
c. Project manager 
d. Developer 
e. Finance 
f. Sales 
g. Marketing 
h. Other (please specify) 

<li>Which of the following security personnel does your organization have (check all that apply)</li>
a. A Chief Information Security Officer or other dedicated security executive on the company’s executive board. 
b. A senior manager or director dedicated to security 
c. Network security engineers 
d. Developers dedicated primarily to security 
e. Quality assurance testers dedicated primarily to security 
f. An Information Security Officer who also has other responsibilities. 
g. None 
h. Don’t know 

<li>Approximately how many developers does your organization employ?</li>
a. 1 - 10 
b. 10 - 50 
c. 50 - 100 
d. 100 - 500 
e. Over 500 

<li>How much of your software development is outsourced or subcontracted?</li>
a. None 
b. Some 
c. About half 
d. Significant portion 
e. All or almost all 
f. Don't know

<li>How do you review the security of outsourced or subcontracted code? (please check all that apply)</li>
a. We don’t review the security 
b. We contractually require adherence to best-practices and/or particular security measures. 
d. We conduct a security review internally 
e. We have an independent third-party firm conduct a security review 
f. Don't know 

<li>Do your developers undergo software security training? (please check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<li>How important is previous security experience when hiring developers?</li>
a. Very important 
b. Somewhat important 
c. Nice to have but not a priority 
d. Not a factor in hiring 
e. Don't know 

<li>Do you have internal security checkpoints during the software development life-cycle? (please check all that apply)</li>
a. Yes, at every stage of the development cycle 
b. Yes, during the design phase 
c. Yes, during the testing phase 
d. No 
e. Don't know 

<li> If you answered yes to the question on internal security review, where is the organizational responsibility for this review? (please check all that apply)</li>
a. Within the development team 
b. Within the QA team 
c. Within a security team 
d. Within the internal audit team 
e. Don’t know 

<li>Do you perform independent third-party security reviews before deploying a Web application?</li>
a. Every web application undergoes an external review before deployment 
b. Only security critical applications undergo an external review 
c. Only when requested by customers 
d. We never perform external security reviews 
e. Don't know 

<li>If you answered yes to the question on external security reviews, how often do you engage external security firms? (check all that apply)</li>
a. Once at the design phase 
b. When making important security choices 
c. Ad hoc, as needed 
d. Prior to release 

<li>If you answered yes to the question on external security reviews, what is the approximate annual expenditure (USD) on these reviews?</li>
a. Under $25,000 
b. $25,000- $50,000 
c. $50,000 - $100,000 
d. $100,000 - $250,000 
e. $250,000 - $1,000,000 
f. Over 1 million 

<li>Does the costs of these security reviews come from: (check all that apply)</li>
a. The development budget 
b. The Q&A budget 
c. A security budget 
d. A general budget 
e. It varies 
f. Don’t know 

<li>What percentage of your total developer’s time is directly devoted to security activities? (code reviews, meetings, etc)</li>
a. Under 2% 
b. 2%-5% 
c. 5%-10% 
d. 10%-15% 
e. Over 15% 
f. I don’t know - we don’t measure time in that way 

<li>How important is software security generally to your customers?</li>
a. Extremely important 
b. Very important 
c. Important 
d. Not very important 
e. Don't know - I don't deal with customers.

<li>Which of the following regulations apply to your software (check all that apply)?</li>
a. PCI 
b. HIPAA 
c. SOX 
d. FERPA 
e. Depends on who is deploying it 
f. Other regulations (please specify) 
g. None of the above 
h. Don't know 

<li>Does your organization produce software or systems that deal primarily with:</li>
a. Highly sensitive data 
b. Somewhat sensitive data 
c. Not very sensitive data 
d. Depends on who is deploying it 

<li>How important is Web application security to your executive management?</li>
a. Absolutely critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 

<li>Is security a part of your marketing or branding strategy for your product?</li>
a. Yes 
b. No 

<li>Have you suffered a significant public security incident in the last two years?</li>
a. Yes 
b. No 
c. Don't know 

<li>How do you think your organization’s security spending in 2009 will change in relation to 2008?</li>
a. We will spend over 20% more in 2009 than 2008 
b. We will spend between up to 20% more in 2009 and 2008 
c. We will spend up to 20% less in 2009 than 2008 
d. We will spend over 20% less in 2009 than 2008 
e. We don’t know yet how much we will spend in 2009 
f. We don’t measure security spending 
</ol>

== Additional Survey Questions to Consider ==

<ol>
<li>Please rank how much the following drive your organization budgeting decisions</li>
- Risk Mitigation 
- Due Diligence 
- Incident Response 
- Regulatory Compliance 
- Competitive Advantage 
</ol>

== Deleted Questions ==
<ol>
<li>What is the total approximate annual revenue of your organization in USD?</li>
a. Under 1 million 
b. 1 million – 5 million 
c. 5 million- 25 million 
d. 25 million- 100 million 
e. Over 100 million 

<li>Which of the following background checks are conducted when hiring developers? (please check all that apply)</li>
a. Basic criminal background check 
b. Extensive overall background check via third party 
c. Contacting references 
d. None 
e. Don't know 

<li>Which of the following sensitive data types do your Web applications process? (check all that apply)</li>
a. Names, addresses, and other personally identifiable information 
b. Credit card information 
c. Health care related information 
d. Financial account information 
e. Intellectual property 
f. Confidential information 
g. Other (please specify) 
</ol>
== Project Status ==
Completing the project description text and finalizing the proposed 25 survey questions.

== Project Contributors ==
The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback.

<ul>
<li>Jeremiah Grossman (CTO, WhiteHat Security)</li>
</ul>

Category:OWASP Security Spending Benchmarks

2008-12-18T00:02:19Z

Jeremiahgrossman:

[[:Category:OWASP Project]] 

== About the Security Spending Benchmarks Project ==

This OWASP project seeks to produce an industry accepted benchmark for justifying spending in Web application security. We want to quantify how many dollar and human resources should be allocated towards Web application security, including that of within the software development life-cycle. This project is motivated by the fact that:

<ul>
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security and the application development processes.</li>
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li>
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and hosting secure Web application, but there is no industry consensus or data on how this translates into monetary terms.</li>
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security.</li>
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not get to charge a premium for this investment.</li>
</ul>

Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the answers to address the following questions:

<ul>

<li>What percentage of a development groups headcount is dedicated towards security?
<li>How much budget is allocated towards software security as a percentage of development costs?</li>
<li>Where does the software security budget come from?</li>
<li>How much budget is allocated towards developer security education?</li>
<li>How much budget is allocated towards independent third-party security reviews?</li>
<li>Where does the independent third-party security review budget come from?</li>
<li>How much budget is allocated towards Web application firewalls?</li>
<li>Where does Web application firewall budget come from?</li>
</ul>

How do the above answers correlate with:

<ul>
<li>Company size</li>
<li>Industry vertical</li>
<li>Sensitivity of the underlying data</li>
<li>Existence of executive level security oversight</li>
<li>Role of security in the company’s software development cycle</li>
</ul>

== (Proposed) 25 Survey Questions ==

This survey is meant to be completed out by organization who development, sell, or host Web applications. It is not intended for general software consumers. Respondents do not not need to provide any individually identifiable information and no individual answers will be published. Only aggregate reports will be published. The survey only takes about 10 minutes. Thank you very much for taking the time to complete this survey and help us better understand security spending in software development.

<ol>
<li>What is the total approximate annual revenue of your organization in USD?</li>
a. Under 1 million 
b. 1 million – 5 million 
c. 5 million- 25 million 
d. 25 million- 100 million 
e. Over 100 million 

<li>What market do you serve?</li>
a. Finance 
b. Medical 
c. Energy 
d. Government 
e. Education 
f. Professional Services 
g. Non-profit 
h. Retail 
i. Manufacturing 
j. Hospitality and Tourism 
k. Other (please specify) 

<li>What is your role within the organization?</li>
a. Executive 
b. Security professional 
c. Project manager 
d. Developer 
e. Finance 
f. Sales 
g. Marketing 
h. Other (please specify) 

<li>Which of the following sensitive data types do your Web applications process? (check all that apply)</li>
a. Names, addresses, and other personally identifiable information 
b. Credit card information 
c. Health care related information 
d. Financial account information 
e. Intellectual property 
f. Confidential information 
g. Other (please specify) 

<li>Which of the following security personnel does your organization have (check all that apply)</li>
a. A Chief Information Security Officer or other dedicated security executive on the company’s executive board. 
b. A senior manager or director dedicated to security 
c. Network security engineers 
d. Developers dedicated primarily to security 
e. Quality assurance testers dedicated primarily to security 
f. An Information Security Officer who also has other responsibilities. 
g. None 
h. Don’t know 

<li>Approximately how many developers does your organization employ?</li>
a. 1 - 10 
b. 10 - 50 
c. 50 - 100 
d. 100 - 500 
e. Over 500 

<li>What is the approximate total number of employees in your organization?</li>
a. 1 - 10 
b. 10 - 100 
c. 100 - 500 
d. 500 - 1000 
e. Over 1000 

<li>How much of your software development is outsourced or subcontracted?</li>
a. None 
b. Some 
c. About half 
d. Significant portion 
e. All or almost all 
f. Don't know

<li>How do you review the security of outsourced or subcontracted code? (please check all that apply)</li>
a. We don’t review the security 
b. We contractually require adherence to best-practices and/or particular security measures. 
d. We conduct a security review internally 
e. We have an independent third-party firm conduct a security review 
f. Don't know 

<li>Do your developers undergo software security training? (please check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<li>Which of the following background checks are conducted when hiring developers? (please check all that apply)</li>
a. Basic criminal background check 
b. Extensive overall background check via third party 
c. Contacting references 
d. None 
e. Don't know 

<li>How important is previous security experience when hiring developers?</li>
a. Very important 
b. Somewhat important 
c. Nice to have but not a priority 
d. Not a factor in hiring 
e. Don't know 

<li>Do you have internal security checkpoints during the software development life-cycle? (please check all that apply)</li>
a. Yes, at every stage of the development cycle 
b. Yes, during the design phase 
c. Yes, during the testing phase 
d. No 
e. Don't know 

<li> If you answered yes to the question on internal security review, where is the organizational responsibility for this review? (please check all that apply)</li>
a. Within the development team 
b. Within the QA team 
c. Within a security team 
d. Within the internal audit team 
e. Don’t know 

<li>Do you perform independent third-party security reviews before deploying a Web application?</li>
a. Every web application undergoes an external review before deployment 
b. Only security critical applications undergo an external review 
c. Only when requested by customers 
d. We never perform external security reviews 
e. Don't know 

<li>If you answered yes to the question on external security reviews, how often do you engage external security firms? (check all that apply)</li>
a. Once at the design phase 
b. When making important security choices 
c. Ad hoc, as needed 
d. Prior to release 

<li>If you answered yes to the question on external security reviews, what is the approximate annual expenditure (USD) on these reviews?</li>
a. Under $50,000 
b. $50,000 - $100,000 
c. $100,000 - $250,000 
d. $250,000 - $1,000,000 
e. Over 1 million 

<li>Does the costs of these security reviews come from: (check all that apply)</li>
a. The development budget 
b. The Q&A budget 
c. A security budget 
d. A general budget 
e. It varies 
f. Don’t know 

<li>What percentage of your total developer’s time is directly devoted to security activities? (code reviews, meetings, etc)</li>
a. Under 2% 
b. 2%-5% 
c. 5%-10% 
d. 10%-15% 
e. Over 15% 
f. I don’t know - we don’t measure time in that way 

<li>How important is software security generally to your customers?</li>
a. Extremely important 
b. Very important 
c. Important 
d. Not very important 
e. Don't know - I don't deal with customers.

<li>Does your organization produce software or systems that deal primarily with:</li>
a. Highly sensitive data 
b. Somewhat sensitive data 
c. Not very sensitive data 
d. Depends on who is deploying it 

<li>How important is Web application security to your executive management?</li>
a. Absolutely critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 

<li>Is security a part of your marketing or branding strategy for your product?</li>
a. Yes 
b. No 

<li>Have you suffered a significant public security incident in the last two years?</li>
a. Yes 
b. No 
c. Don't know 

<li>How do you think your organization’s security spending in 2009 will change in relation to 2008?</li>
a. We will spend over 20% more in 2009 than 2008 
b. We will spend between up to 20% more in 2009 and 2008 
c. We will spend up to 20% less in 2009 than 2008 
d. We will spend over 20% less in 2009 than 2008 
e. We don’t know yet how much we will spend in 2009 
f. We don’t measure security spending 
</ol>

== Additional Survey Questions to Consider ==

<ol>
<li>Please rank how much the following drive your organization budgeting decisions</li>
- Risk Mitigation 
- Due Diligence 
- Incident Response 
- Regulatory Compliance 
- Competitive Advantage 
</ol>

== Project Status ==
Completing the project description text and finalizing the proposed 25 survey questions.

== Project Contributors ==
The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback.

<ul>
<li>Jeremiah Grossman (CTO, WhiteHat Security)</li>
</ul>

Category:OWASP Security Spending Benchmarks

2008-12-17T23:58:16Z

Jeremiahgrossman:

[[:Category:OWASP Project]] 

== About the Security Spending Benchmarks Project ==

This OWASP project seeks to produce an industry accepted benchmark for justifying spending in Web application security. We want to quantify how many dollar and human resources should be allocated towards Web application security, including that of within the software development life-cycle. This project is motivated by the fact that:

<ul>
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security and the application development processes.</li>
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li>
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and hosting secure Web application, but there is no industry consensus or data on how this translates into monetary terms.</li>
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security.</li>
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not get to charge a premium for this investment.</li>
</ul>

Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the answers to address the following questions:

<ul>

<li>What percentage of a development groups headcount is dedicated towards security?
<li>How much budget is allocated towards software security as a percentage of development costs?</li>
<li>Where does the software security budget come from?</li>
<li>How much budget is allocated towards developer security education?</li>
<li>How much budget is allocated towards independent third-party security reviews?</li>
<li>Where does the independent third-party security review budget come from?</li>
<li>How much budget is allocated towards Web application firewalls?</li>
<li>Where does Web application firewall budget come from?</li>
</ul>

How do the above answers correlate with:

<ul>
<li>Company size</li>
<li>Industry vertical</li>
<li>Sensitivity of the underlying data</li>
<li>Existence of executive level security oversight</li>
<li>Role of security in the company’s software development cycle</li>
</ul>

== (Proposed) 25 Survey Questions ==

This survey is meant to be completed out by organization who development, sell, or host Web applications. It is not intended for general software consumers. Respondents do not not need to provide any individually identifiable information and no individual answers will be published. Only aggregate reports will be published. The survey only takes about 10 minutes. Thank you very much for taking the time to complete this survey and help us better understand security spending in software development.

<ol>
<li>What is the total approximate annual revenue of your organization in USD?</li>
a. Under 1 million 
b. 1 million – 5 million 
c. 5 million- 25 million 
d. 25 million- 100 million 
e. Over 100 million 

<li>What market do you serve?</li>
a. Finance 
b. Medical 
c. Energy 
d. Government 
e. Education 
f. Professional Services 
g. Non-profit 
h. Retail 
i. Manufacturing 
j. Hospitality and Tourism 
k. Other (please specify) 

<li>What is your role within the organization?</li>
a. Executive 
b. Security professional 
c. Project manager 
d. Developer 
e. Finance 
f. Sales 
g. Marketing 
h. Other (please specify) 

<li>Which of the following sensitive data types do your Web applications process? (check all that apply)</li>
a. Names, addresses, and other personally identifiable information 
b. Credit card information 
c. Health care related information 
d. Financial account information 
e. Intellectual property 
f. Confidential information 
g. Other (please specify) 

<li>Which of the following security personnel does your organization have (check all that apply)</li>
a. A Chief Information Security Officer or other dedicated security executive on the company’s executive board. 
b. A senior manager or director dedicated to security 
c. Network security engineers 
d. Developers dedicated primarily to security 
e. Quality assurance testers dedicated primarily to security 
f. An Information Security Officer who also has other responsibilities. 
g. None 
h. Don’t know 

<li>Approximately how many developers does your organization employ?</li>
a. 1 - 10 
b. 10 - 50 
c. 50 - 100 
d. 100 - 500 
e. Over 500 

<li>What is the approximate total number of employees in your organization?</li>
a. 1 - 10 
b. 10 - 100 
c. 100 - 500 
d. 500 - 1000 
e. Over 1000 

<li>How much of your software development is outsourced or subcontracted?</li>
a. None 
b. Some 
c. About half 
d. Significant portion 
e. All or almost all 
f. Don't know

<li>How do you review the security of outsourced or subcontracted code? (please check all that apply)</li>
a. We don’t review the security 
b. We contractually require adherence to best-practices and/or particular security measures. 
d. We conduct a security review internally 
e. We have an independent third-party firm conduct a security review 
f. Don't know 

<li>Do your developers undergo software security training? (please check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<li>Which of the following background checks are conducted when hiring developers? (please check all that apply)</li>
a. Basic criminal background check 
b. Extensive overall background check via third party 
c. Contacting references 
d. None 
e. Don't know 

<li>How important is previous security experience when hiring developers?</li>
a. Very important 
b. Somewhat important 
c. Nice to have but not a priority 
d. Not a factor in hiring 
e. Don't know 

<li>Do you have internal security checkpoints during the software development life-cycle? (please check all that apply)</li>
a. Yes, at every stage of the development cycle 
b. Yes, during the design phase 
c. Yes, during the testing phase 
d. No 
e. Don't know 

<li> If you answered yes to the question on internal security review, where is the organizational responsibility for this review? (please check all that apply)</li>
a. Within the development team 
b. Within the QA team 
c. Within a security team 
d. Within the internal audit team 
e. Don’t know 

<li>Do you perform independent third-party security reviews before deploying a Web application?</li>
a. Every web application undergoes an external review before deployment 
b. Only security critical applications undergo an external review 
c. Only when requested by customers 
d. We never perform external security reviews 
e. Don't know 

<li>If you answered yes to the question on external security reviews, how often do you engage external security firms? (check all that apply)</li>
a. Once at the design phase 
b. When making important security choices 
c. Ad hoc, as needed 
d. Prior to release 

<li>If you answered yes to the question on external security reviews, what is the approximate annual expenditure (USD) on these reviews?</li>
a. Under $50,000 
b. $50,000 - $100,000 
c. $100,000 - $250,000 
d. $250,000 - $1,000,000 
e. Over 1 million 

<li>Does the costs of these security reviews come from: (check all that apply)</li>
a. The development budget 
b. The Q&A budget 
c. A security budget 
d. A general budget 
e. It varies 
f. Don’t know 

<li>What percentage of your total developer’s time is directly devoted to security activities? (code reviews, meetings, etc)</li>
a. Under 2% 
b. 2%-5% 
c. 5%-10% 
d. 10%-15% 
e. Over 15% 
f. I don’t know - we don’t measure time in that way 

<li>How important is software security generally to your customers?</li>
a. Extremely important 
b. Very important 
c. Important 
d. Not very important 
e. Don't know - I don't deal with customers.

<li>Does your organization produce software or systems that deal primarily with:</li>
a. Highly sensitive data 
b. Somewhat sensitive data 
c. Not very sensitive data 
d. Depends on who is deploying it 

<li>How important is Web application security to your executive management?</li>
a. Absolutely critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 

<li>Is security a part of your marketing or branding strategy for your product?</li>
a. Yes 
b. No 

<li>Have you suffered a significant public security incident in the last two years?</li>
a. Yes 
b. No 
c. Don't know 

<li>How do you think your organization’s security spending in 2009 will change in relation to 2008?</li>
a. We will spend over 20% more in 2009 than 2008 
b. We will spend between up to 20% more in 2009 and 2008 
c. We will spend up to 20% less in 2009 than 2008 
d. We will spend over 20% less in 2009 than 2008 
e. We don’t know yet how much we will spend in 2009 
f. We don’t measure security spending 
</ol>

== Project Status ==
Completing the project description text and finalizing the proposed 25 survey questions.

== Project Contributors ==
The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback.

<ul>
<li>Jeremiah Grossman (CTO, WhiteHat Security)</li>
</ul>

Category:OWASP Security Spending Benchmarks

2008-12-17T23:29:01Z

Jeremiahgrossman:

[[:Category:OWASP Project]] 

== About the Security Spending Benchmarks Project ==

Establishing a Benchmark for Security Spending in Web Application Development
The OWASP project “Security Spending in Web Application Development” aims to answer the question – How many resources should be devoted to security spending in the software development life-cycle?

== Overview ==

This project seeks to produce an industry accepted benchmark to help address the issues below. We want to quantify how many dollar and human resources should be allocated towards security in the software development life-cycle. This project is motivated by the fact that:

<ul>
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on security in the Web application development process.</li>
<li>Spending on security helps mitigate risks whose potential costs are difficult to quantify. This makes justifying and obtaining security budgets difficult.</li>
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing secure Web application, but there is no industry consensus or data on how this translates into monetary terms.</li>
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security.</li>
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not get to charge a premium for this investment.</li>
</ul>

Prior to releasing the survey we are asking colleagues to help formulate the right questions. Your feedback would be much appreciated. We want to use the answers to address the following questions:

<ul>
<li>Do organizations measure software security spending separately from the rest of their development costs?</li>
<li>How much developer time is spent on software security related activities?
How much budget is allocated towards software security as a percentage of development costs?</li>
<li>Where does the software security budget come from?</li>
</ul>

How do the above answers correlate with:

<ul>
<li>Company size</li>
<li>Industry vertical</li>
<li>Sensitivity of the underlying data</li>
<li>Existence of executive level security oversight</li>
<li>Role of security in the company’s software development cycle</li>
</ul>

== (Proposed) 25 Survey Questions ==

This survey is meant to be completed out by organization who development, sell, or host Web applications. It is not intended for general software consumers. Respondents do not not need to provide any individually identifiable information and no individual answers will be published. Only aggregate reports will be published. The survey only takes about 10 minutes. Thank you very much for taking the time to complete this survey and help us better understand security spending in software development.

<ol>
<li>What is the total approximate annual revenue of your organization in USD?</li>
a. Under 1 million 
b. 1 million – 5 million 
c. 5 million- 25 million 
d. 25 million- 100 million 
e. Over 100 million 

<li>What market do you serve?</li>
a. Finance 
b. Medical 
c. Energy 
d. Government 
e. Education 
f. Professional Services 
g. Non-profit 
h. Retail 
i. Manufacturing 
j. Hospitality and Tourism 
k. Other (please specify) 

<li>What is your role within the organization?</li>
a. Executive 
b. Security professional 
c. Project manager 
d. Developer 
e. Finance 
f. Sales 
g. Marketing 
h. Other (please specify) 

<li>Which of the following sensitive data types do your Web applications process? (check all that apply)</li>
a. Names, addresses, and other personally identifiable information 
b. Credit card information 
c. Health care related information 
d. Financial account information 
e. Intellectual property 
f. Confidential information 
g. Other (please specify) 

<li>Which of the following security personnel does your organization have (check all that apply)</li>
a. A Chief Information Security Officer or other dedicated security executive on the company’s executive board. 
b. A senior manager or director dedicated to security 
c. Network security engineers 
d. Developers dedicated primarily to security 
e. Quality assurance testers dedicated primarily to security 
f. An Information Security Officer who also has other responsibilities. 
g. None 
h. Don’t know 

<li>Approximately how many developers does your organization employ?</li>
a. 1 - 10 
b. 10 - 50 
c. 50 - 100 
d. 100 - 500 
e. Over 500 

<li>What is the approximate total number of employees in your organization?</li>
a. 1 - 10 
b. 10 - 100 
c. 100 - 500 
d. 500 - 1000 
e. Over 1000 

<li>How much of your software development is outsourced or subcontracted?</li>
a. None 
b. Some 
c. About half 
d. Significant portion 
e. All or almost all 
f. Don't know

<li>How do you review the security of outsourced or subcontracted code? (please check all that apply)</li>
a. We don’t review the security 
b. We contractually require adherence to best-practices and/or particular security measures. 
d. We conduct a security review internally 
e. We have an independent third-party firm conduct a security review 
f. Don't know 

<li>Do your developers undergo software security training? (please check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<li>Which of the following background checks are conducted when hiring developers? (please check all that apply)</li>
a. Basic criminal background check 
b. Extensive overall background check via third party 
c. Contacting references 
d. None 
e. Don't know 

<li>How important is previous security experience when hiring developers?</li>
a. Very important 
b. Somewhat important 
c. Nice to have but not a priority 
d. Not a factor in hiring 
e. Don't know 

<li>Do you have internal security checkpoints during the software development life-cycle? (please check all that apply)</li>
a. Yes, at every stage of the development cycle 
b. Yes, during the design phase 
c. Yes, during the testing phase 
d. No 
e. Don't know 

<li> If you answered yes to the question on internal security review, where is the organizational responsibility for this review? (please check all that apply)</li>
a. Within the development team 
b. Within the QA team 
c. Within a security team 
d. Within the internal audit team 
e. Don’t know 

<li>Do you perform independent third-party security reviews before deploying a Web application?</li>
a. Every web application undergoes an external review before deployment 
b. Only security critical applications undergo an external review 
c. Only when requested by customers 
d. We never perform external security reviews 
e. Don't know 

<li>If you answered yes to the question on external security reviews, how often do you engage external security firms? (check all that apply)</li>
a. Once at the design phase 
b. When making important security choices 
c. Ad hoc, as needed 
d. Prior to release 

<li>If you answered yes to the question on external security reviews, what is the approximate annual expenditure (USD) on these reviews?</li>
a. Under $50,000 
b. $50,000 - $100,000 
c. $100,000 - $250,000 
d. $250,000 - $1,000,000 
e. Over 1 million 

<li>Does the costs of these security reviews come from: (check all that apply)</li>
a. The development budget 
b. The Q&A budget 
c. A security budget 
d. A general budget 
e. It varies 
f. Don’t know 

<li>What percentage of your total developer’s time is directly devoted to security activities? (code reviews, meetings, etc)</li>
a. Under 2% 
b. 2%-5% 
c. 5%-10% 
d. 10%-15% 
e. Over 15% 
f. I don’t know - we don’t measure time in that way 

<li>How important is software security generally to your customers?</li>
a. Extremely important 
b. Very important 
c. Important 
d. Not very important 
e. Don't know - I don't deal with customers.

<li>Does your organization produce software or systems that deal primarily with:</li>
a. Highly sensitive data 
b. Somewhat sensitive data 
c. Not very sensitive data 
d. Depends on who is deploying it 

<li>How important is Web application security to your executive management?</li>
a. Absolutely critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 

<li>Is security a part of your marketing or branding strategy for your product?</li>
a. Yes 
b. No 

<li>Have you suffered a significant public security incident in the last two years?</li>
a. Yes 
b. No 
c. Don't know 

<li>How do you think your organization’s security spending in 2009 will change in relation to 2008?</li>
a. We will spend over 20% more in 2009 than 2008 
b. We will spend between up to 20% more in 2009 and 2008 
c. We will spend up to 20% less in 2009 than 2008 
d. We will spend over 20% less in 2009 than 2008 
e. We don’t know yet how much we will spend in 2009 
f. We don’t measure security spending 
</ol>

== Project Status ==
Completing the project description text and finalizing the proposed 25 survey questions.

== Project Contributors ==
The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback.

<ul>
<li>Jeremiah Grossman (CTO, WhiteHat Security)</li>
</ul>

Category:OWASP Security Spending Benchmarks

2008-12-17T23:28:20Z

Jeremiahgrossman:

[[:Category:OWASP Project]] 

== About the Security Spending Benchmarks Project ==

Establishing a Benchmark for Security Spending in Web Application Development
The OWASP project “Security Spending in Web Application Development” aims to answer the question – How many resources should be devoted to security spending in the software development life-cycle?

== Overview ==

This project seeks to produce an industry accepted benchmark to help address the issues below. We want to quantify how many dollar and human resources should be allocated towards security in the software development life-cycle. This project is motivated by the fact that:

<ul>
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on security in the Web application development process.</li>
<li>Spending on security helps mitigate risks whose potential costs are difficult to quantify. This makes justifying and obtaining security budgets difficult.</li>
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing secure Web application, but there is no industry consensus or data on how this translates into monetary terms.</li>
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security.</li>
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not get to charge a premium for this investment.</li>
</ul>

Prior to releasing the survey we are asking colleagues to help formulate the right questions. Your feedback would be much appreciated. We want to use the answers to address the following questions:

<ul>
<li>Do organizations measure software security spending separately from the rest of their development costs?</li>
<li>How much developer time is spent on software security related activities?
How much budget is allocated towards software security as a percentage of development costs?</li>
<li>Where does the software security budget come from?</li>
</ul>

How do the above answers correlate with:

<ul>
<li>Company size</li>
<li>Industry vertical</li>
<li>Sensitivity of the underlying data</li>
<li>Existence of executive level security oversight</li>
<li>Role of security in the company’s software development cycle</li>
</ul>

== (Proposed) 25 Survey Questions ==

This survey is meant to be completed out by organization who development, sell, or host Web applications. It is not intended for general software consumers. Respondents do not not need to provide any individually identifiable information and no individual answers will be published. Only aggregate reports will be published. The survey only takes about 10 minutes. Thank you very much for taking the time to complete this survey and help us better understand security spending in software development.

<ol>
<li>What is the total approximate annual revenue of your organization in USD?</li>
a. Under 1 million 
b. 1 million – 5 million 
c. 5 million- 25 million 
d. 25 million- 100 million 
e. Over 100 million 

<li>What market do you serve?</li>
a. Finance 
b. Medical 
c. Energy 
d. Government 
e. Education 
f. Professional Services 
g. Non-profit 
h. Retail 
i. Manufacturing 
j. Hospitality and Tourism 
k. Other (please specify) 

<li>What is your role within the organization?</li>
a. Executive 
b. Security professional 
c. Project manager 
d. Developer 
e. Finance 
f. Sales 
g. Marketing 
h. Other (please specify) 

<li>Which of the following sensitive data types do your Web applications process? (check all that apply)</li>
a. Names, addresses, and other personally identifiable information 
b. Credit card information 
c. Health care related information 
d. Financial account information 
e. Intellectual property 
f. Confidential information 
g. Other (please specify) 

<li>Which of the following security personnel does your organization have (check all that apply)</li>
a. A Chief Information Security Officer or other dedicated security executive on the company’s executive board. 
b. A senior manager or director dedicated to security 
c. Network security engineers 
d. Developers dedicated primarily to security 
e. Quality assurance testers dedicated primarily to security 
f. An Information Security Officer who also has other responsibilities. 
g. None 
h. Don’t know 

<li>Approximately how many developers does your organization employ?</li>
a. 1 - 10 
b. 10 - 50 
c. 50 - 100 
d. 100 - 500 
e. Over 500 

<li>What is the approximate total number of employees in your organization?</li>
a. 1 - 10 
b. 10 - 100 
c. 100 - 500 
d. 500 - 1000 
e. Over 1000 

<li>How much of your software development is outsourced or subcontracted?</li>
a. None 
b. Some 
c. About half 
d. Significant portion 
e. All or almost all 
f. Don't know

<li>How do you review the security of outsourced or subcontracted code? (please check all that apply)</li>
a. We don’t review the security 
b. We contractually require adherence to best-practices and/or particular security measures. 
d. We conduct a security review internally 
e. We have an independent third-party firm conduct a security review 
f. Don't know 

<li>Do your developers undergo software security training? (please check all that apply)</li>
a. Yes, via an external training course 
b. Yes, via internal resources 
c. Yes, via certifications 
d. No 
e. Don’t know 

<li>Which of the following background checks are conducted when hiring developers? (please check all that apply)</li>
a. Basic criminal background check 
b. Extensive overall background check via third party 
c. Contacting references 
d. None 
e. Don't know 

<li>How important is previous security experience when hiring developers?</li>
a. Very important 
b. Somewhat important 
c. Nice to have but not a priority 
d. Not a factor in hiring 
e. Don't know 

<li>Do you have internal security checkpoints during the software development life-cycle? (please check all that apply)</li>
a. Yes, at every stage of the development cycle 
b. Yes, during the design phase 
c. Yes, during the testing phase 
d. No 
e. Don't know 

<li> If you answered yes to the question on internal security review, where is the organizational responsibility for this review? (please check all that apply)</li>
a. Within the development team 
b. Within the QA team 
c. Within a security team 
d. Within the internal audit team 
e. Don’t know 

<li>Do you perform independent third-party security reviews before deploying a Web application?</li>
a. Every web application undergoes an external review before deployment 
b. Only security critical applications undergo an external review 
c. Only when requested by customers 
d. We never perform external security reviews 
e. Don't know 

<li>If you answered yes to the question on external security reviews, how often do you engage external security firms? (check all that apply)</li>
a. Once at the design phase 
b. When making important security choices 
c. Ad hoc, as needed 
d. Prior to release 

<li>If you answered yes to the question on external security reviews, what is the approximate annual expenditure (USD) on these reviews?</li> 
a. Under $50,000 
b. $50,000 - $100,000 
c. $100,000 - $250,000 
d. $250,000 - $1,000,000 
e. Over 1 million 

<li>Does the costs of these security reviews come from: (check all that apply)</li>
a. The development budget 
b. The Q&A budget 
c. A security budget 
d. A general budget 
e. It varies 
f. Don’t know 

<li>What percentage of your total developer’s time is directly devoted to security activities? (code reviews, meetings, etc)</li>
a. Under 2% 
b. 2%-5% 
c. 5%-10% 
d. 10%-15% 
e. Over 15% 
f. I don’t know - we don’t measure time in that way 

<li>How important is software security generally to your customers?</li>
a. Extremely important 
b. Very important 
c. Important 
d. Not very important 
e. Don't know - I don't deal with customers.

<li>Does your organization produce software or systems that deal primarily with:</li>
a. Highly sensitive data 
b. Somewhat sensitive data 
c. Not very sensitive data 
d. Depends on who is deploying it 

<li>How important is Web application security to your executive management?</li>
a. Absolutely critical 
b. Very important 
c. Somewhat important 
d. Nice to have 
e. Not very important 

<li>Is security a part of your marketing or branding strategy for your product?</li>
a. Yes 
b. No 

<li>Have you suffered a significant public security incident in the last two years?</li>
a. Yes 
b. No 
c. Don't know 

<li>How do you think your organization’s security spending in 2009 will change in relation to 2008?</li>
a. We will spend over 20% more in 2009 than 2008 
b. We will spend between up to 20% more in 2009 and 2008 
c. We will spend up to 20% less in 2009 than 2008 
d. We will spend over 20% less in 2009 than 2008 
e. We don’t know yet how much we will spend in 2009 
f. We don’t measure security spending 
</ol>

== Project Status ==
Completing the project description text and finalizing the proposed 25 survey questions.

== Project Contributors ==
The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback.

<ul>
<li>Jeremiah Grossman (CTO, WhiteHat Security)</li>
</ul>

Category:OWASP Security Spending Benchmarks

2008-12-15T22:13:03Z

Jeremiahgrossman:

Category:OWASP Security Spending Benchmarks

2008-12-15T22:08:32Z

Jeremiahgrossman:

Category:OWASP Security Spending Benchmarks

2008-12-15T21:54:42Z

Jeremiahgrossman:

Category:OWASP Security Spending Benchmarks

2008-12-15T21:54:07Z

Jeremiahgrossman:

Category:OWASP Security Spending Benchmarks

2008-12-15T21:53:20Z

Jeremiahgrossman:

Category:OWASP Security Spending Benchmarks

2008-12-15T21:51:57Z

Jeremiahgrossman: