Category:OWASP Security Spending Benchmarks

Category:OWASP Project

About the Security Spending Benchmarks Project
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:

 There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes. Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult. Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms. Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program. Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment. 

Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the survey answers to address the following questions and many others:



What percentage of a Web application development groups headcount is dedicated towards security? How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?</li> Where do Web application security budget come from?</li> How much budget is allocated towards security education?</li> </ul>

How do the above answers correlate with:

 Company size</li> Industry vertical</li> Sensitivity of the underlying data</li> Existence of executive level security oversight</li> Role of security in the company’s software development cycle</li> </ul>

Survey Questions
[PDF Download]

Data Collection & Distribution
For data collection our current plan is to utilize the SurveyMonkey system for hosting of the survey. We will not be collecting any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we plan to take precautions to limit the potential while not creating unnecessary overhead. We are controlling survey access via username/password, as well as through a trusted network of contacts. All information collected will be made available in report (PDF, HTML) as well as raw (CSV, XML, etc.) form.

Project Status
1. Completing the project description text and finalizing the proposed survey questions. (DONE)

2. Open up survey to respondents (Jan 12, 2009)

3. Close survey (Feb 6, 2009 - extended from Jan 26, 2009)

4. February 6th - Survey Analysis Begins

5. February 6th-20th - Boaz Gelbord and Jeremiah Grossman to edit draft report.

6. February 20th- Decision point whether to include late submissions

7. February 20th - Circulate draft report to partners with raw data, request to keep data confidential prior to publication. 8. March 15th - Publish report after integrating partner feedback. Generate community interest and discussion around results. 9. After March 15th - Coordinate formal acceptance of deliverable by OWASP and plan further steps for the project.

Project Leadership
The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at bgelbord AT wgen.net with any questions or feedback. Jeremiah Grossman (Founder & CTO, WhiteHat Security) is also closely assisting in the effort.

Project Contributors