This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

CISO Survey 2013: Tools and technology

Jump to: navigation, search

< Back to the CISO Survey

3. Tools and technology

Significance of OWASP guidance, books and white papers

To better understand how organizations benefit from existing OWASP activities and what is most useful for organizations, we also asked the CISOs what OWASP activities serve them well, and which ones are more or less significant. For data analysis we designed a weighted scoring that would rank based on how many rated activities as extremely significant, very significant, significant, somewhat significant or not significant. Most significant help are OWASP projects for awareness programs and awareness material, with a weighted score of 140 and about 70% stating that OWASP is extremely significant, very significant or significant for this area. While staff attending local chapter meetings or AppSec conferences is still important, with a score of 54 and more than 30% of the surveyed CISOs rating this activity as extremely significant, very significant or significant.

CISO Survey 2013 9 OWASP significance.png

Top-5 most useful OWASP projects for organizations from the perspective of the CISO.

The 5 most useful OWASP projects from the standpoint of a CISO are the 1. OWASP Top-10 2. Cheatsheets 3. Development Guide 4. Secure Coding Practices Quick Reference 5. Application Security FAQ With the Top-10 a clear leading number one position, while the other four projects are relatively equal in their rating and basically sharing second place.

CISO Survey 2013 10 Top-5 Projects.png

Design of the information security management program

As information security programs vary widely across organizations, we asked the CISO which key elements are part of their programs:

CISO Survey 2013 11 ISM programs.png

Naturally, security requirements, guidelines, security training and risk management were prevalent parts of information security management programs. Interestingly, using a secure software development lifecycle did rank fairly low as a part of the CISOs’ current security management programs. This finding might also be an indication for a lack of using an application security strategy or maturity model to determine which domains to focus on and which SDLC activities to implement. (see also the CISO AppSec Guide: Application Security Program)

Two thirds use technical tools to support their application security management process

CISO Survey 2013 12 process tools.png

For example, we found the following tools are used by organizations:

CISO Survey 2013 13 IS tools.png