This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:OWASP Security Spending Benchmarks"

From OWASP
Jump to: navigation, search
m
 
(66 intermediate revisions by 5 users not shown)
Line 1: Line 1:
[[:Category:OWASP Project]]<br>
+
{|
 +
|-
 +
! width="700" align="center" | <br>
 +
! width="500" align="center" | <br>
 +
|-
 +
| align="right" | [[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]]  
 +
| align="right" |
  
== About the Security Spending Benchmarks Project ==
+
|}
 +
[[:Category:OWASP Project]]<br>
  
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:
+
== NEXT REPORT CURRENTLY COLLECTING RESPONSES - AIMING FOR Q2 DELIVERY ==
  
<ul>
+
== Q2 Report Published - Focus on Cloud Computing ==
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li>
 
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li>
 
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li>
 
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li>
 
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li>
 
</ul>
 
  
 +
The Q2 report of the OWASP Security Spending Benchmarks Project is now available. It can be found at the following link:
  
Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the survey answers to address the following questions and many others:
+
[[http://www.owasp.org/images/f/f0/OWASP_SSB_Q2_Project_Report.pdf PDF Download]]
  
<ul>
+
There are a number of key findings in the Q2 09 study:
  
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li>
+
* Software-as-a-Service is in much greater use than Infrastructure-as-a-Service or Platform-as-a-Service. Over half of respondents make moderate or significant use of SaaS. Less than a quarter of all respondents make any use of either IaaS or PaaS.
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li>
 
<li>Where do Web application security budget come from?</li>
 
<li>How much budget is allocated towards security education?</li>
 
</ul>
 
  
 +
* Security spending does not change significantly as a result of cloud computing. Respondents did not report significant spending changes in the areas of network security, third party security reviews, security personnel, or identity management.
  
How do the above answers correlate with:
+
* Organizations are not doing their homework when it comes to cloud security. When engaging a cloud partner, only half of organizations inquire about common security-related issues, and only a third require documentation of security measures in place.
  
<ul>
+
* The risk of an undetected data breach is the greatest concern with using cloud computing, closely followed by the risk of a public data breach.
<li>Company size</li>
 
<li>Industry vertical</li>
 
<li>Sensitivity of the underlying data</li>
 
<li>Existence of executive level security oversight</li>
 
<li>Role of security in the company’s software development cycle</li>
 
</ul>
 
  
 +
* Compliance and standards requirements related to cloud computing are not well understood. Respondents report having the greatest understanding of PCI requirements relating to cloud computing and the least understanding of HIPAA cloud requirements.
  
== (Proposed) Survey Questions  ==
 
  
This survey is meant to be completed out by organizations who develop, sell, or host Web applications.  It is not intended for general software consumers. Respondents do not  not need to provide any individually identifiable information and no identifiable information will be published.  The survey only takes about 10-15 minutes.  Thank you very much for taking the time to complete this survey and help us better understand security spending in software development.
+
== Security Spending Benchmarks Project Report March 2009 ==
  
 +
The Q1 2009 report of the OWASP Security Spending Benchmarks Project is now available. It can be found at the following link:
  
<ol>
+
[[http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf PDF Download]].
  
<li>What is the approximate total number of employees in your organization?</li>
+
There are a number of key findings in the Q1 09 study:
a. 1 - 10 <br>
 
b. 10 - 100 <br>
 
c. 100 - 500 <br>
 
d. 500 - 1000<br>
 
e. 1000 - 5000<br>
 
f. 5000-50,000<br>
 
g. Over 50,000 <br>
 
  
 +
* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.
  
<li>What market do you serve?</li>
+
* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.
a.     Finance<br>
 
b.      Medical<br>
 
c.      Energy<br>
 
d.      Government<br>
 
e.      Education<br>
 
f.      Professional Services<br>
 
g.      Non-profit<br>
 
h.      Retail<br>
 
i.      Manufacturing<br>
 
j.      Hospitality and Tourism<br>
 
k.      Technology <br>
 
l.      Telecommunication <br>
 
m.      Other (please specify)<br>
 
  
 +
* Half of respondents consider security experience important when hiring developers,  and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.
 +
     
 +
* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).
  
<li>What is your role within the organization?</li>
+
* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.
a. Executive<br>
 
b. Security professional<br>
 
c. Project manager<br>
 
d. Developer<br>
 
e. Finance<br>
 
f. Sales<br>
 
g. Marketing<br>
 
h. Other (please specify)<br>
 
  
 +
== Raw Data ==
  
<li>How important is Web application security to your executive management?</li>
+
Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here].  
a. Critical<br>
 
b. Very important<br>
 
c. Somewhat important<br>
 
d. Nice to have<br>
 
e. Not very important<br>
 
f.     Don't know<br>
 
  
 +
== Inquiries ==
  
<li>How important is Web application security generally to your customers?</li>
+
Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.
a. Critical<br>
 
b. Very important<br>
 
c. Somewhat important<br>
 
d. Nice to have<br>
 
e. Not very important<br>
 
f.     Don't know<br>
 
  
 +
== About the Security Spending Benchmarks Project ==
  
<li>Is security a part of your marketing or branding strategy for your product?</li>
+
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:
a. Yes<br>
 
b. No<br>
 
  
 +
<ul>
 +
<li>There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.</li>
 +
<li>Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.</li>
 +
<li>Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.</li>
 +
<li>Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.</li>
 +
<li>Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.</li>
 +
</ul>
  
<li>Which of the following security personnel does your organization have? (check all that apply)</li>
 
a. A Chief Information Security Officer or other dedicated security executive on the company’s executive board.<br>
 
b. A senior manager or director dedicated to security<br>
 
c. Network security engineers<br>
 
d. Developers dedicated primarily to security<br>
 
e. Quality assurance testers dedicated primarily to security<br>
 
f. An Information Security Officer who also has other responsibilities.<br>
 
g. None<br>
 
h. Don’t know<br>
 
  
 +
The survey was formulated with the help of our project partners to address the following questions and many others:
  
<li>Has your organization suffered a significant and publicized security incident within the last two years?</li>
+
<ul>
a. Yes<br>
 
b. No<br>
 
c.      Don't know <br>
 
  
 +
<li>What percentage of a Web application development groups headcount is dedicated towards security?</li>
 +
<li>How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li>
 +
<li>Where do Web application security budget come from?</li>
 +
<li>How much budget is allocated towards security education?</li>
 +
</ul>
  
<li>Rank the impact of the following factors on driving your organization's security spending decisions (rank each from 1-5)</li>
+
== Data Collection & Distribution ==
a. Risk Mitigation <br>
 
b. Due Diligence <br>
 
c. Incident Response <br>
 
d. Compliance<br>
 
e. Competitive Advantage<br>
 
  
 +
We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.
  
<li>Does your organization have a specific IT security budget?</li>
 
a. Yes<br>
 
b. No<br>
 
  
<ul>
+
== Project Status  ==
<li>If yes, approximately what percentage of your IT security budget is dedicated towards Web application security?</li>
 
a. 1 - 5% <br>
 
b. 5 - 10% <br>
 
c. 10 - 20% <br>
 
d. 20 - 50% <br>
 
e. Over 50% <br>
 
f. Don't know <br>
 
  
<li>If yes, How do you expect your organization’s Web application security spending will change in 2009 in relation to the previous year?</li>
+
Q2 Timeline:
a. Over 20% spending increase <br>
 
b. Spending increase up to 20%<br>
 
c. Spending decrease less than 20%<br>
 
d. Over 20% spending decrease <br>
 
e. Don't know<br>
 
f. We don’t measure security spending<br>
 
</ul>
 
  
<li>Does your organization produce software or systems that deal primarily with:</li>
+
1. April 1-15: Discuss thematic priorities with partners. Expand partner network.<br />
a. Highly sensitive data<br>
+
2. April 15-30: Formulate survey questions based on identified thematic priorities <br />
b. Somewhat sensitive data<br>
+
3. May 1st-June 10th (EXTENDED): Collect survey responses through partner network.<br />
c. Not very sensitive data <br>
+
4. June 10th-June 20th: Analyze results and produce draft report.<br />
d. Depends on who is deploying it<br>
+
5. June 20th - June 25th: Get partner feedback on draft and make edits.<br />
 +
6. June 30th: Final report published<br />
  
 +
Q1 Timeline:
  
<li>Which of the following regulations apply to your software (check all that apply)?</li>
+
1. Completing the project description text and finalizing the proposed survey questions. (DONE) <br />
a.     PCI-DSS<br>
+
2. January 12th - Open up survey to respondents (DONE) <br />
b.     HIPAA<br>
+
3. February 6 (extended from Jan 26) - Close survey (DONE) <br />
c.     SOX <br>
+
4. February 6th - Survey Analysis Begins (DONE) <br />
d.     FERPA <br>
+
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE) <br />
e.     GLBA <br>
+
6. February 20th- Decision point whether to include late submissions (DONE) <br />
f.     FISMA <br>
+
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE) <br/>
g.     Depends on who is deploying it<br>
+
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(DONE)<br/>
h.     Other regulations (please specify)<br>
+
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.<br/>
i.     None of the above<br>
 
j.     Don't know<br>
 
  
 +
== News Coverage of OWASP SSB Project ==
  
<li>Approximately how many Web application developers does your organization employ?</li>
+
SC Magazine: [http://www.scmagazineus.com/OWASP-Security-Spending-Benchmarks-Report-published/article/129116/ OWASP Security Spending Benchmarks Report Published]
a. 1 - 10 <br>
 
b. 10 - 50 <br>
 
c. 50 - 100 <br>
 
d. 100 - 500<br>
 
e. Over 500<br>
 
  
 +
Dark Reading: [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=215901240 Web Application Security Spending Relatively Unscathed by Poor Economy]
  
<li>How important is previous security experience when hiring Web application developers?</li>
+
Search Security: [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html More companies seek third-party code review, survey finds]
a. Critical<br>
 
b. Very important<br>
 
c. Somewhat important<br>
 
d. Nice to have<br>
 
e. Not very important<br>
 
f.     Don't know<br>
 
  
 +
Security-Insider: (Germany): [http://www.security-insider.de/themenbereiche/applikationssicherheit/web-application-security/articles/260380/ OWASP Top Ten 2010]
  
<li>Approximately what percentage of your development budget or head count is dedicated to security?</li>
+
PC World: [http://www.pcworld.com/businesscenter/article/162012/survey_gauges_web_application_security_spending.html Survey Guages Web Application Security Spending]
a. Under 2%<br>
 
b. 2%-5%<br>
 
c. 5%-10%<br>
 
d. 10%-15%<br>
 
e. Over 15%<br>
 
f. Don’t know<br>
 
  
 +
Info World [http://www.infoworld.com/article/09/03/26/Survey_gauges_Web_application_security_spending_1.html Survey Gauges Web Application Security Spending]
  
<li>Do your developers undergo software security training? (check all that apply)</li>
+
Network World [http://www.networkworld.com/news/2009/032609-survey-gauges-web-application-security.html Survey Gauges Web Application Security Spending]
a. Yes, via an external training course<br>
 
b. Yes, via internal resources<br>
 
c. Yes, via certifications<br>
 
d. No<br>
 
e. Don’t know<br>
 
  
<ul>
+
The IT Chronicle [http://www.theitchronicle.com/content/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]
<li>If yes, approximately how many of your developers participate?</li>
 
a. All of almost all<br>
 
b. Most<br>
 
c. About half<br>
 
d. Some<br>
 
  
<li>If yes, out of what budget are the costs allocated?</li>
+
The Industry Standard [http://www.thestandard.com/news/2009/03/26/survey-gauges-web-application-security-spending Survey Gauges Web Application Security Spending]
a. Development<br>
 
b. Q&A<br>
 
c. IT Security<br>
 
d. General fund<br>
 
e. Varies<br>
 
f. Don't know<br>
 
</ul>
 
  
 +
CIO.com [http://www.cio.com/article/486881/Survey_Gauges_Web_Application_Security_Spending Survey Gauges Web Application Security Spending]
  
<li>What security checkpoint reviews are present during the Web application software development life-cycle?</li>
+
CIO Espana [http://www.idg.es/cio/Mas-de-un-25_por_ciento-de-las-empresas-elevara-su-gasto-en-seguridad-de-aplicaciones-Web/doc78597-seguridad.htm Más de un 25% de las empresas elevará su gasto en seguridad de aplicaciones Web]
a. At every stage of the development process<br>
 
b. During the design phase<br>
 
c. During the testing phase<br>
 
d.      Ad hoc <br>
 
e.      No security reviews <br>
 
f.      Don't know <br>
 
  
<ul>
+
Information Week [http://www.informationweek.com/blog/main/archives/2009/03/firms_taking_we.html Firms Taking Web App Security (More) Seriously]
<li>If yes, where is the organizational responsibility for these reviews? (check all that apply)</li>
 
a. Development<br>
 
b. Q&A<br>
 
c. IT Security<br>
 
d. Internal audit<br>
 
e. Varies<br>
 
f. Don't know<br>
 
</ul>
 
  
 +
Search Security [http://securitywireweekly.blogs.techtarget.com/2009/03/25/owasp-security-benchmark-study-mobile-threats-real/ Podcast]
  
<li>How much of your organizations Web application software development is outsourced or subcontracted?</li>
+
Search Security [http://searchsecurity.techtarget.com/video/0,297151,sid14_gci1352074,00.html Video Interview with Boaz Gelbord]
a. All or almost all<br>
 
b. Most<br>
 
c. About half<br>
 
d. Some<br>
 
e. None or very little<br>
 
f.     Don't know
 
  
 +
CIO India [http://www.cio.in/news/viewArticle/ARTICLEID=5931602 Web Apps Security Spending Rising]
  
<li>How do you review the security of outsourced or subcontracted Web application code? (check all that apply)</li>
+
Information Security Magazine [http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1352162,00.html Web browsers remain vulnerable to user mistakes]
a. We don’t review the security<br>
 
b. We contractually require adherence to best-practices and/or particular security measures.<br>
 
d. We conduct a security review internally<br>
 
e. We have an independent third-party firm conduct a security review<br>
 
f.      Don't know <br>
 
  
 +
== Project Leadership ==
 +
The Security Spending Benchmarks Project Leader is [http://www.boazgelbord.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation and Founder, [http://www.securityscoreboard.com/ Security Scoreboard]). Boaz can be reached directly at '''boaz.gelbord AT owasp.org''' with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.
  
<li>How often are independent third-party security reviews performed before deploying a Web application? (check all that apply)</li>
+
== Project Contributors  ==
a. Immediately before deployment<br>
 
a. During the testing phase<br>
 
a. During the design phase<br>
 
c.      When requested by customers<br>
 
d.      Never<br>
 
e.      Don't know<br>
 
 
 
<ul>
 
<li>If yes, out of what budget are the costs allocated?</li>
 
a. Development<br>
 
b. Q&A<br>
 
c. IT Security<br>
 
d. Internal audit<br>
 
e. Business Unit<br>
 
     
 
f. Varies<br>
 
g. Don't know<br>
 
</ul>
 
 
 
<ul>
 
<li>If budget specified, approximate what percentage of that budget is allocated?</li>
 
a. All of almost all<br>
 
b. Most<br>
 
c. About half<br>
 
d. Some<br>
 
e. None or very little<br>
 
f.      Don't know
 
</ul>
 
 
 
 
 
<li>Do your IT security personnel undergo specialized training? (check all that apply)</li>
 
a. Yes, via an external training course<br>
 
b. Yes, via internal resources<br>
 
c. Yes, via certifications<br>
 
d. No<br>
 
e. Don’t know<br>
 
  
 +
[[Image:AppSecLogo.jpg]]<br clear="all">
  
<li>How many of your organizations deployed Web applications have Web application firewalls monitoring of defending them?</li>
+
[[Image:Aspect_logo_resized.jpg]]<br clear="all">
a. All of almost all<br>
 
b. Most<br>
 
c. About half<br>
 
d. Some<br>
 
e. None or very little<br>
 
f.      Don't know
 
  
<ul>
+
[[Image:Cenzic.jpg]]<br clear="all">
<li>If yes, out of what budget are the costs allocated?</li>
 
a. Development<br>
 
b. Q&A<br>
 
c. IT Security<br>
 
d. Internal audit<br>
 
           
 
e. Business Unit<br>
 
f. Varies<br>
 
g. Don't know<br>
 
</ul>
 
  
<ul>
+
[[Image:Cigital_logo.gif]]<br clear="all">
<li>If budget specified, approximate what percentage of that budget is allocated?</li>
 
a. All of almost all<br>
 
b. Most<br>
 
c. About half<br>
 
d. Some<br>
 
e. None or very little<br>
 
f.      Don't know
 
</ul>
 
  
</ol>
+
[[Image:CSI.jpg | 200px]]<br clear="all">
  
== Additional Survey Questions to Consider  ==
+
[[Image:Denim_logo.gif]]<br clear="all">
  
 +
[[Image:echelonone.jpg]]<br clear="all">
  
 +
[[Image:eema.jpg]]<br clear="all">
  
== Deleted Questions ==
+
[[Image:Fortify_logo.png]]<br clear="all">
<ol>
 
<li>What is the total approximate annual revenue of your organization in USD?</li>
 
a. Under 1 million <br>
 
b. 1 million – 5 million <br>
 
c. 5 million- 25 million<br>
 
d. 25 million- 100 million<br>
 
e. Over 100 million<br>
 
  
<li>Which of the following background checks are conducted when hiring developers? (please check all that apply)</li>
+
[[Image:GDS_LOGO_SMALL.jpg]]<br clear="all">
a. Basic criminal background check<br>
 
b. Extensive overall background check via third party<br>
 
c.      Contacting references<br>
 
d.      None<br>
 
e.      Don't know <br>
 
  
<li>If you answered yes to the question on external security reviews, what is the approximate annual expenditure (USD) on these reviews?</li>
+
[[Image:Ifis_logo.jpg]]<br clear="all">
a. Under $25,000<br>
 
b. $25,000- $50,000<br>
 
c. $50,000 - $100,000 <br>
 
d. $100,000 - $250,000 <br>
 
e. $250,000 - $1,000,000<br>
 
f. Over 1 million<br>
 
  
<li>Which of the following sensitive data types do your Web applications process? (check all that apply)</li>
+
[[Image:MetroSITEGroup.jpg]] <br clear="all">
a. Names, addresses, and other personally identifiable information<br>
 
b. Credit card information<br>
 
c. Health care related information<br>
 
d. Financial account information<br>
 
e. Intellectual property<br>
 
f. Confidential information<br>
 
g. Other (please specify)<br>
 
</ol>
 
  
== Suggested By the Community ==
+
[[Image:Imperva_Logo.gif]]<br clear="all">
<ol>
 
<li>
 
Assuming the use of AntiVirus and standard Firewalls, which of the following security technologies are currently used in your organization? (check all that apply) </li>
 
a. Log management aggregation<br>
 
b. Security Incident Management<br>
 
c. Application Layer Firewalls<br>
 
d. IDS / IPS<br>
 
e. Automated Compliance Monitoring<br>
 
f. Data Loss Prevention <br>
 
g. Web traffic monitoring and/or filtering<br>
 
h. Penetration testing tools<br>
 
i. Vulnerability Scanners<br>
 
j. Other (please specify)<br>
 
  
<li>How is your web application development environment protected during development?</li>
+
[[Image:The-open-group.gif]]<br clear="all">
a. By an air gap, no connection to the corporate network or internet<br>
 
b. By a Web application firewall enclave<br>
 
c. With the standard firewalls, IDS/IPS, etc. that protects the whole organization<br>
 
d. Developers are allowed direct access to the internet to speed the development process and leverage outside code sources<br>
 
e. I don’t know<br>
 
  
<li> There was some feedback on the preference of deleted question #4 over #11. Tying data types to regulation is easier to do.
+
[[Image:Rapid7.png]]<br clear="all">
  
</ol>
+
[[Image:Sectheory-logo-2.jpg]]<br clear="all">
  
== Data Collection & Distribution ==
+
[[Image:Logo_securosis.png]]<br clear="all">
  
For data collection our current plan is to utilize the SurveyMonkey system for hosting of the survey. We will not be collecting any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we plan to take precautions to limit the potential while not creating unnecessary overhead. We may decide to control survey access via username/password, as well as through a trusted network of contacts. All information collected will be redistributed in report (PDF, HTML) as well as raw (CSV, XML, etc.) form.
+
[[Image:Tssci.png]]<br clear="all">
  
 
+
[[Image:TTT_logo_2008.png]]<br clear="all">
== Project Status  ==
 
Completing the project description text and finalizing the proposed survey questions.
 
 
 
 
 
== Project Leadership  ==
 
The Security Spending Benchmarks Project Leader is [http://boazgelbord.blogspot.com/ Boaz Gelbord] (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at '''bgelbord AT wgen.net''' with any questions or feedback.
 
 
 
 
 
== Project Contributors  ==
 
  
 
[[Image:Whitehat_security_logo.gif]]<br clear="all">
 
[[Image:Whitehat_security_logo.gif]]<br clear="all">
Jeremiah Grossman (Founder & CTO)
 

Latest revision as of 19:51, 23 January 2014
OWASP Inactive Banner.jpg

Category:OWASP Project

NEXT REPORT CURRENTLY COLLECTING RESPONSES - AIMING FOR Q2 DELIVERY

Q2 Report Published - Focus on Cloud Computing

The Q2 report of the OWASP Security Spending Benchmarks Project is now available. It can be found at the following link:

[PDF Download]

There are a number of key findings in the Q2 09 study:

  • Software-as-a-Service is in much greater use than Infrastructure-as-a-Service or Platform-as-a-Service. Over half of respondents make moderate or significant use of SaaS. Less than a quarter of all respondents make any use of either IaaS or PaaS.
  • Security spending does not change significantly as a result of cloud computing. Respondents did not report significant spending changes in the areas of network security, third party security reviews, security personnel, or identity management.
  • Organizations are not doing their homework when it comes to cloud security. When engaging a cloud partner, only half of organizations inquire about common security-related issues, and only a third require documentation of security measures in place.
  • The risk of an undetected data breach is the greatest concern with using cloud computing, closely followed by the risk of a public data breach.
  • Compliance and standards requirements related to cloud computing are not well understood. Respondents report having the greatest understanding of PCI requirements relating to cloud computing and the least understanding of HIPAA cloud requirements.


Security Spending Benchmarks Project Report March 2009

The Q1 2009 report of the OWASP Security Spending Benchmarks Project is now available. It can be found at the following link:

[PDF Download].

There are a number of key findings in the Q1 09 study:

  • Organizations that have suffered a public data breach spend more on security in the development process than those that have not.
  • Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.
  • Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.
  • At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).
  • Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.

Raw Data

Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found here.

Inquiries

Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.

About the Security Spending Benchmarks Project

The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:

  • There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.
  • Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.
  • Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.
  • Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.
  • Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.


The survey was formulated with the help of our project partners to address the following questions and many others:

  • What percentage of a Web application development groups headcount is dedicated towards security?
  • How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?
  • Where do Web application security budget come from?
  • How much budget is allocated towards security education?

Data Collection & Distribution

We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.


Project Status

Q2 Timeline:

1. April 1-15: Discuss thematic priorities with partners. Expand partner network.
2. April 15-30: Formulate survey questions based on identified thematic priorities
3. May 1st-June 10th (EXTENDED): Collect survey responses through partner network.
4. June 10th-June 20th: Analyze results and produce draft report.
5. June 20th - June 25th: Get partner feedback on draft and make edits.
6. June 30th: Final report published

Q1 Timeline:

1. Completing the project description text and finalizing the proposed survey questions. (DONE)
2. January 12th - Open up survey to respondents (DONE)
3. February 6 (extended from Jan 26) - Close survey (DONE)
4. February 6th - Survey Analysis Begins (DONE)
5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report (DONE)
6. February 20th- Decision point whether to include late submissions (DONE)
7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. (DONE)
8. March 19th (was March 15th) - Publish report after integrating partner feedback. Generate community interest and discussion around results.(DONE)
9. After March 19th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.

News Coverage of OWASP SSB Project

SC Magazine: OWASP Security Spending Benchmarks Report Published

Dark Reading: Web Application Security Spending Relatively Unscathed by Poor Economy

Search Security: More companies seek third-party code review, survey finds

Security-Insider: (Germany): OWASP Top Ten 2010

PC World: Survey Guages Web Application Security Spending

Info World Survey Gauges Web Application Security Spending

Network World Survey Gauges Web Application Security Spending

The IT Chronicle Survey Gauges Web Application Security Spending

The Industry Standard Survey Gauges Web Application Security Spending

CIO.com Survey Gauges Web Application Security Spending

CIO Espana Más de un 25% de las empresas elevará su gasto en seguridad de aplicaciones Web

Information Week Firms Taking Web App Security (More) Seriously

Search Security Podcast

Search Security Video Interview with Boaz Gelbord

CIO India Web Apps Security Spending Rising

Information Security Magazine Web browsers remain vulnerable to user mistakes

Project Leadership

The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation and Founder, Security Scoreboard). Boaz can be reached directly at boaz.gelbord AT owasp.org with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.

Project Contributors

AppSecLogo.jpg

Aspect logo resized.jpg

Cenzic.jpg

Cigital logo.gif

CSI.jpg

Denim logo.gif

Echelonone.jpg

Eema.jpg

Fortify logo.png

GDS LOGO SMALL.jpg

Ifis logo.jpg

MetroSITEGroup.jpg

Imperva Logo.gif

The-open-group.gif

Rapid7.png

Sectheory-logo-2.jpg

Logo securosis.png

Tssci.png

TTT logo 2008.png

Whitehat security logo.gif

This category currently contains no pages or media.

Retrieved from "https://wiki.owasp.org/index.php?title=Category:OWASP_Security_Spending_Benchmarks&oldid=166492"