This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Category:OWASP Security Spending Benchmarks"
(→Suggested By the Community) |
|||
Line 36: | Line 36: | ||
− | == (Proposed) | + | == (Proposed) Survey Questions == |
This survey is meant to be completed out by organizations who develop, sell, or host Web applications. It is not intended for general software consumers. Respondents do not not need to provide any individually identifiable information and no identifiable information will be published. The survey only takes about 10-15 minutes. Thank you very much for taking the time to complete this survey and help us better understand security spending in software development. | This survey is meant to be completed out by organizations who develop, sell, or host Web applications. It is not intended for general software consumers. Respondents do not not need to provide any individually identifiable information and no identifiable information will be published. The survey only takes about 10-15 minutes. Thank you very much for taking the time to complete this survey and help us better understand security spending in software development. | ||
Line 397: | Line 397: | ||
== Project Status == | == Project Status == | ||
− | Completing the project description text and finalizing the proposed | + | Completing the project description text and finalizing the proposed survey questions. |
+ | |||
+ | |||
+ | == Project Leadership == | ||
+ | The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback. | ||
== Project Contributors == | == Project Contributors == | ||
− | |||
− | < | + | [[Image:Whitehat_security_logo.gif]]<br clear="all"> |
− | + | Jeremiah Grossman (Founder & CTO) | |
− |
Revision as of 22:10, 23 December 2008
About the Security Spending Benchmarks Project
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollar and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:
- There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.
- Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.
- Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.
- Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.
- Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.
Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the survey answers to address the following questions and many others:
- What percentage of a Web application development groups headcount is dedicated towards security?
- How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?
- Where do Web application security budget come from?
- How much budget is allocated towards security education?
How do the above answers correlate with:
- Company size
- Industry vertical
- Sensitivity of the underlying data
- Existence of executive level security oversight
- Role of security in the company’s software development cycle
(Proposed) Survey Questions
This survey is meant to be completed out by organizations who develop, sell, or host Web applications. It is not intended for general software consumers. Respondents do not not need to provide any individually identifiable information and no identifiable information will be published. The survey only takes about 10-15 minutes. Thank you very much for taking the time to complete this survey and help us better understand security spending in software development.
- What is the approximate total number of employees in your organization?
- What market do you serve?
- What is your role within the organization?
- How important is Web application security to your executive management?
- How important is Web application security generally to your customers?
- Is security a part of your marketing or branding strategy for your product?
- Which of the following security personnel does your organization have? (check all that apply)
- Has your organization suffered a significant and publicized security incident within the last two years?
- Rank the impact of the following factors on driving your organization's security spending decisions (rank each from 1-5)
- Does your organization have a specific IT security budget?
- If yes, approximately what percentage of your IT security budget is dedicated towards Web application security?
- If yes, How do you expect your organization’s Web application security spending will change in 2009 in relation to the previous year?
- Does your organization produce software or systems that deal primarily with:
- Which of the following regulations apply to your software (check all that apply)?
- Approximately how many Web application developers does your organization employ?
- How important is previous security experience when hiring Web application developers?
- Approximately what percentage of your development budget or head count is dedicated to security?
- Do your developers undergo software security training? (check all that apply)
- If yes, approximately how many of your developers participate?
- If yes, out of what budget are the costs allocated?
- What security checkpoint reviews are present during the Web application software development life-cycle?
- If yes, where is the organizational responsibility for these reviews? (check all that apply)
- How much of your organizations Web application software development is outsourced or subcontracted?
- How do you review the security of outsourced or subcontracted Web application code? (check all that apply)
- How often are independent third-party security reviews performed before deploying a Web application? (check all that apply)
- If yes, out of what budget are the costs allocated?
- If budget specified, approximate what percentage of that budget is allocated?
- Do your IT security personnel undergo specialized training? (check all that apply)
- How many of your organizations deployed Web applications have Web application firewalls monitoring of defending them?
- If yes, out of what budget are the costs allocated?
- If budget specified, approximate what percentage of that budget is allocated?
a. 1 - 10
b. 10 - 100
c. 100 - 500
d. 500 - 1000
e. 1000 - 5000
f. 5000-50,000
g. Over 50,000
a. Finance
b. Medical
c. Energy
d. Government
e. Education
f. Professional Services
g. Non-profit
h. Retail
i. Manufacturing
j. Hospitality and Tourism
k. Technology
l. Telecommunication
m. Other (please specify)
a. Executive
b. Security professional
c. Project manager
d. Developer
e. Finance
f. Sales
g. Marketing
h. Other (please specify)
a. Critical
b. Very important
c. Somewhat important
d. Nice to have
e. Not very important
f. Don't know
a. Critical
b. Very important
c. Somewhat important
d. Nice to have
e. Not very important
f. Don't know
a. Yes
b. No
a. A Chief Information Security Officer or other dedicated security executive on the company’s executive board.
b. A senior manager or director dedicated to security
c. Network security engineers
d. Developers dedicated primarily to security
e. Quality assurance testers dedicated primarily to security
f. An Information Security Officer who also has other responsibilities.
g. None
h. Don’t know
a. Yes
b. No
c. Don't know
a. Risk Mitigation
b. Due Diligence
c. Incident Response
d. Compliance
e. Competitive Advantage
a. Yes
b. No
a. 1 - 5%
b. 5 - 10%
c. 10 - 20%
d. 20 - 50%
e. Over 50%
f. Don't know
a. Over 20% spending increase
b. Spending increase up to 20%
c. Spending decrease less than 20%
d. Over 20% spending decrease
e. Don't know
f. We don’t measure security spending
a. Highly sensitive data
b. Somewhat sensitive data
c. Not very sensitive data
d. Depends on who is deploying it
a. PCI-DSS
b. HIPAA
c. SOX
d. FERPA
e. GLBA
f. FISMA
g. Depends on who is deploying it
h. Other regulations (please specify)
i. None of the above
j. Don't know
a. 1 - 10
b. 10 - 50
c. 50 - 100
d. 100 - 500
e. Over 500
a. Critical
b. Very important
c. Somewhat important
d. Nice to have
e. Not very important
f. Don't know
a. Under 2%
b. 2%-5%
c. 5%-10%
d. 10%-15%
e. Over 15%
f. Don’t know
a. Yes, via an external training course
b. Yes, via internal resources
c. Yes, via certifications
d. No
e. Don’t know
a. All of almost all
b. Most
c. About half
d. Some
a. Development
b. Q&A
c. IT Security
d. General fund
e. Varies
f. Don't know
a. At every stage of the development process
b. During the design phase
c. During the testing phase
d. Ad hoc
e. No security reviews
f. Don't know
a. Development
b. Q&A
c. IT Security
d. Internal audit
e. Varies
f. Don't know
a. All or almost all
b. Most
c. About half
d. Some
e. None or very little
f. Don't know
a. We don’t review the security
b. We contractually require adherence to best-practices and/or particular security measures.
d. We conduct a security review internally
e. We have an independent third-party firm conduct a security review
f. Don't know
a. Immediately before deployment
a. During the testing phase
a. During the design phase
c. When requested by customers
d. Never
e. Don't know
a. Development
b. Q&A
c. IT Security
d. Internal audit
e. Business Unit
f. Varies
g. Don't know
a. All of almost all
b. Most
c. About half
d. Some
e. None or very little
f. Don't know
a. Yes, via an external training course
b. Yes, via internal resources
c. Yes, via certifications
d. No
e. Don’t know
a. All of almost all
b. Most
c. About half
d. Some
e. None or very little
f. Don't know
a. Development
b. Q&A
c. IT Security
d. Internal audit
e. Business Unit
f. Varies
g. Don't know
a. All of almost all
b. Most
c. About half
d. Some
e. None or very little
f. Don't know
Additional Survey Questions to Consider
Deleted Questions
- What is the total approximate annual revenue of your organization in USD?
- Which of the following background checks are conducted when hiring developers? (please check all that apply)
- If you answered yes to the question on external security reviews, what is the approximate annual expenditure (USD) on these reviews?
- Which of the following sensitive data types do your Web applications process? (check all that apply)
a. Under 1 million
b. 1 million – 5 million
c. 5 million- 25 million
d. 25 million- 100 million
e. Over 100 million
a. Basic criminal background check
b. Extensive overall background check via third party
c. Contacting references
d. None
e. Don't know
a. Under $25,000
b. $25,000- $50,000
c. $50,000 - $100,000
d. $100,000 - $250,000
e. $250,000 - $1,000,000
f. Over 1 million
a. Names, addresses, and other personally identifiable information
b. Credit card information
c. Health care related information
d. Financial account information
e. Intellectual property
f. Confidential information
g. Other (please specify)
Suggested By the Community
- Assuming the use of AntiVirus and standard Firewalls, which of the following security technologies are currently used in your organization? (check all that apply)
- How is your web application development environment protected during development?
- There was some feedback on the preference of deleted question #4 over #11. Tying data types to regulation is easier to do.
a. Log management aggregation
b. Security Incident Management
c. Application Layer Firewalls
d. IDS / IPS
e. Automated Compliance Monitoring
f. Data Loss Prevention
g. Web traffic monitoring and/or filtering
h. Penetration testing tools
i. Vulnerability Scanners
j. Other (please specify)
a. By an air gap, no connection to the corporate network or internet
b. By a Web application firewall enclave
c. With the standard firewalls, IDS/IPS, etc. that protects the whole organization
d. Developers are allowed direct access to the internet to speed the development process and leverage outside code sources
e. I don’t know
Data Collection & Distribution
For data collection our current plan is to utilize the SurveyMonkey system for hosting of the survey. We will not be collecting any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we plan to take precautions to limit the potential while not creating unnecessary overhead. We may decide to control survey access via username/password, as well as through a trusted network of contacts. All information collected will be redistributed in report (PDF, HTML) as well as raw (CSV, XML, etc.) form.
Project Status
Completing the project description text and finalizing the proposed survey questions.
Project Leadership
The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at bgelbord AT wgen.net with any questions or feedback.
Project Contributors
Jeremiah Grossman (Founder & CTO)
This category currently contains no pages or media.