This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "Category:OWASP Security Spending Benchmarks"

Jump to: navigation, search
Line 153: Line 153:
<li>If you answered yes to the question on external security reviews, what is the approximate annual expenditure (USD) on these reviews?</li>
<li>If you answered yes to the question on external security reviews, what is the approximate annual expenditure (USD) on these reviews?</li>
a. Under $50,000<br>
a. Under $25,000<br>
b. $50,000 - $100,000 <br>
b. $25,000- $50,000<br>
c. $100,000 - $250,000 <br>
c. $50,000 - $100,000 <br>
d. $250,000 - $1,000,000<br>
d. $100,000 - $250,000 <br>
e. Over 1 million<br>
e. $250,000 - $1,000,000<br>
f. Over 1 million<br>
<li>Does the costs of these security reviews come from: (check all that apply)</li>
<li>Does the costs of these security reviews come from: (check all that apply)</li>

Revision as of 05:00, 18 December 2008

Category:OWASP Project

About the Security Spending Benchmarks Project

This OWASP project seeks to produce an industry accepted benchmark for justifying spending in Web application security. We want to quantify how many dollar and human resources should be allocated towards Web application security, including that of within the software development life-cycle. This project is motivated by the fact that:

  • There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security and the application development processes.
  • Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.
  • Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and hosting secure Web application, but there is no industry consensus or data on how this translates into monetary terms.
  • Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security.
  • Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not get to charge a premium for this investment.

Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the answers to address the following questions:

  • What percentage of a development groups headcount is dedicated towards security?
  • How much budget is allocated towards software security as a percentage of development costs?
  • Where does the software security budget come from?
  • How much budget is allocated towards developer security education?
  • How much budget is allocated towards independent third-party security reviews?
  • Where does the independent third-party security review budget come from?
  • How much budget is allocated towards Web application firewalls?
  • Where does Web application firewall budget come from?

How do the above answers correlate with:

  • Company size
  • Industry vertical
  • Sensitivity of the underlying data
  • Existence of executive level security oversight
  • Role of security in the company’s software development cycle

(Proposed) 25 Survey Questions

This survey is meant to be completed out by organizations who develop, sell, or host Web applications. It is not intended for general software consumers. Respondents do not not need to provide any individually identifiable information and no individual answers will be published. Only aggregate reports will be published. The survey only takes about 10 minutes. Thank you very much for taking the time to complete this survey and help us better understand security spending in software development.

  1. What is the approximate total number of employees in your organization?
  2. a. 1 - 10
    b. 10 - 100
    c. 100 - 500
    d. 500 - 1000
    e. Over 1000

  3. What market do you serve?
  4. a. Finance
    b. Medical
    c. Energy
    d. Government
    e. Education
    f. Professional Services
    g. Non-profit
    h. Retail
    i. Manufacturing
    j. Hospitality and Tourism
    k. Other (please specify)

  5. What is your role within the organization?
  6. a. Executive
    b. Security professional
    c. Project manager
    d. Developer
    e. Finance
    f. Sales
    g. Marketing
    h. Other (please specify)

  7. Which of the following security personnel does your organization have (check all that apply)
  8. a. A Chief Information Security Officer or other dedicated security executive on the company’s executive board.
    b. A senior manager or director dedicated to security
    c. Network security engineers
    d. Developers dedicated primarily to security
    e. Quality assurance testers dedicated primarily to security
    f. An Information Security Officer who also has other responsibilities.
    g. None
    h. Don’t know

  9. Approximately how many developers does your organization employ?
  10. a. 1 - 10
    b. 10 - 50
    c. 50 - 100
    d. 100 - 500
    e. Over 500

  11. How much of your software development is outsourced or subcontracted?
  12. a. None
    b. Some
    c. About half
    d. Significant portion
    e. All or almost all
    f. Don't know

  13. How do you review the security of outsourced or subcontracted code? (please check all that apply)
  14. a. We don’t review the security
    b. We contractually require adherence to best-practices and/or particular security measures.
    d. We conduct a security review internally
    e. We have an independent third-party firm conduct a security review
    f. Don't know

  15. Do your developers undergo software security training? (please check all that apply)
  16. a. Yes, via an external training course
    b. Yes, via internal resources
    c. Yes, via certifications
    d. No
    e. Don’t know

  17. How important is previous security experience when hiring developers?
  18. a. Very important
    b. Somewhat important
    c. Nice to have but not a priority
    d. Not a factor in hiring
    e. Don't know

  19. Do you have internal security checkpoints during the software development life-cycle? (please check all that apply)
  20. a. Yes, at every stage of the development cycle
    b. Yes, during the design phase
    c. Yes, during the testing phase
    d. No
    e. Don't know

  21. If you answered yes to the question on internal security review, where is the organizational responsibility for this review? (please check all that apply)
  22. a. Within the development team
    b. Within the QA team
    c. Within a security team
    d. Within the internal audit team
    e. Don’t know

  23. Do you perform independent third-party security reviews before deploying a Web application?
  24. a. Every web application undergoes an external review before deployment
    b. Only security critical applications undergo an external review
    c. Only when requested by customers
    d. We never perform external security reviews
    e. Don't know

  25. If you answered yes to the question on external security reviews, how often do you engage external security firms? (check all that apply)
  26. a. Once at the design phase
    b. When making important security choices
    c. Ad hoc, as needed
    d. Prior to release

  27. If you answered yes to the question on external security reviews, what is the approximate annual expenditure (USD) on these reviews?
  28. a. Under $25,000
    b. $25,000- $50,000
    c. $50,000 - $100,000
    d. $100,000 - $250,000
    e. $250,000 - $1,000,000
    f. Over 1 million

  29. Does the costs of these security reviews come from: (check all that apply)
  30. a. The development budget
    b. The Q&A budget
    c. A security budget
    d. A general budget
    e. It varies
    f. Don’t know

  31. What percentage of your total developer’s time is directly devoted to security activities? (code reviews, meetings, etc)
  32. a. Under 2%
    b. 2%-5%
    c. 5%-10%
    d. 10%-15%
    e. Over 15%
    f. I don’t know - we don’t measure time in that way

  33. How important is software security generally to your customers?
  34. a. Extremely important
    b. Very important
    c. Important
    d. Not very important
    e. Don't know - I don't deal with customers.

  35. Which of the following regulations apply to your software (check all that apply)?
  36. a. PCI
    b. HIPAA
    c. SOX
    d. FERPA
    e. Depends on who is deploying it
    f. Other regulations (please specify)
    g. None of the above
    h. Don't know

  37. Does your organization produce software or systems that deal primarily with:
  38. a. Highly sensitive data
    b. Somewhat sensitive data
    c. Not very sensitive data
    d. Depends on who is deploying it

  39. How important is Web application security to your executive management?
  40. a. Absolutely critical
    b. Very important
    c. Somewhat important
    d. Nice to have
    e. Not very important

  41. Is security a part of your marketing or branding strategy for your product?
  42. a. Yes
    b. No

  43. Have you suffered a significant public security incident in the last two years?
  44. a. Yes
    b. No
    c. Don't know

  45. How do you think your organization’s security spending in 2009 will change in relation to 2008?
  46. a. We will spend over 20% more in 2009 than 2008
    b. We will spend between up to 20% more in 2009 and 2008
    c. We will spend up to 20% less in 2009 than 2008
    d. We will spend over 20% less in 2009 than 2008
    e. We don’t know yet how much we will spend in 2009
    f. We don’t measure security spending

Additional Survey Questions to Consider

  1. Please rank how much the following drive your organization budgeting decisions
  2. - Risk Mitigation
    - Due Diligence
    - Incident Response
    - Regulatory Compliance
    - Competitive Advantage

Deleted Questions

  1. What is the total approximate annual revenue of your organization in USD?
  2. a. Under 1 million
    b. 1 million – 5 million
    c. 5 million- 25 million
    d. 25 million- 100 million
    e. Over 100 million

  3. Which of the following background checks are conducted when hiring developers? (please check all that apply)
  4. a. Basic criminal background check
    b. Extensive overall background check via third party
    c. Contacting references
    d. None
    e. Don't know

  5. Which of the following sensitive data types do your Web applications process? (check all that apply)
  6. a. Names, addresses, and other personally identifiable information
    b. Credit card information
    c. Health care related information
    d. Financial account information
    e. Intellectual property
    f. Confidential information
    g. Other (please specify)

Project Status

Completing the project description text and finalizing the proposed 25 survey questions.

Project Contributors

The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at bgelbord AT with any questions or feedback.

  • Jeremiah Grossman (CTO, WhiteHat Security)

This category currently contains no pages or media.