This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:OWASP Security Spending Benchmarks"

From OWASP
Jump to: navigation, search
Line 8: Line 8:
 
== Overview ==
 
== Overview ==
  
This project seeks to produce an industry accepted benchmark to help address the above issues.  We want to quantify how many dollar and human resources should be allocated towards security in the software development life-cycle. This project is motivated by the fact that:
+
This project seeks to produce an industry accepted benchmark to help address the issues below.  We want to quantify how many dollar and human resources should be allocated towards security in the software development life-cycle. This project is motivated by the fact that:
  
 
<ul>
 
<ul>

Revision as of 21:54, 15 December 2008

Category:OWASP Project

About the Security Spending Benchmarks Project

Establishing a Benchmark for Security Spending in Web Application Development The OWASP project “Security Spending in Web Application Development” aims to answer the question – How many resources should be devoted to security spending in the software development life-cycle?

Overview

This project seeks to produce an industry accepted benchmark to help address the issues below. We want to quantify how many dollar and human resources should be allocated towards security in the software development life-cycle. This project is motivated by the fact that:

  • There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on security in the Web application development process.
  • Spending on security helps mitigate risks whose potential costs are difficult to quantify. This makes justifying and obtaining security budgets difficult.
  • Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing secure Web application, but there is no industry consensus or data on how this translates into monetary terms.
  • Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security.
  • Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not get to charge a premium for this investment.


Prior to releasing the survey we are asking colleagues to help formulate the right questions. Your feedback would be much appreciated. We want to use the answers to address the following questions:

  • Do organizations measure software security spending separately from the rest of their development costs?
  • How much developer time is spent on software security related activities? How much budget is allocated towards software security as a percentage of development costs?
  • Where does the software security budget come from?


How do the above answers correlate with:

  • Company size
  • Industry vertical
  • Sensitivity of the underlying data
  • Existence of executive level security oversight
  • Role of security in the company’s software development cycle

Project Status

Completing the project description text and finalizing the proposed 25 survey questions.


Project Contributors

The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at bgelbord AT wgen.net with any questions or feedback.

  • Jeremiah Grossman (CTO, WhiteHat Security)

This category currently contains no pages or media.