Category:OWASP Security Spending Benchmarks

Category:OWASP Project

About the Security Spending Benchmarks Project
Establishing a Benchmark for Security Spending in Web Application Development The OWASP project “Security Spending in Web Application Development” aims to answer the question – How many resources should be devoted to security spending in the software development life-cycle?

Overview
This project seeks to produce an industry accepted benchmark to help address the issues below. We want to quantify how many dollar and human resources should be allocated towards security in the software development life-cycle. This project is motivated by the fact that:

 There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on security in the Web application development process. Spending on security helps mitigate risks whose potential costs are difficult to quantify. This makes justifying and obtaining security budgets difficult. Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing secure Web application, but there is no industry consensus or data on how this translates into monetary terms. Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security. Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not get to charge a premium for this investment. 

Prior to releasing the survey we are asking colleagues to help formulate the right questions. Your feedback would be much appreciated. We want to use the answers to address the following questions:

 Do organizations measure software security spending separately from the rest of their development costs? How much developer time is spent on software security related activities? How much budget is allocated towards software security as a percentage of development costs?</li> Where does the software security budget come from?</li> </ul>

How do the above answers correlate with:

 Company size</li> Industry vertical</li> Sensitivity of the underlying data</li> Existence of executive level security oversight</li> Role of security in the company’s software development cycle</li> </ul>

(Proposed) 25 Survey Questions
This survey is meant to be completed out by organization who development, sell, or host Web applications. It is not intended for general software consumers. Respondents do not not need to provide any individually identifiable information and no individual answers will be published. Only aggregate reports will be published. The survey only takes about 10 minutes. Thank you very much for taking the time to complete this survey and help us better understand security spending in software development.

<ol> What is your approximate annual revenue in USD?</li> What market do you serve?</li> Where is your organization based?</li> a.	USA or Canada b.	EU c.	Asia d.	Other (please specify) What is your role within the organization?</li> a.	Developer b.	Project manager c.	Security professional d.	Finance e.	Sales f.	Marketing g.	Other (please specify)
 * 1) Under 1 million
 * 2) 1 million – 5 million
 * 3) 5 million- 25 million
 * 4) 25 million- 100 million
 * 5) Over 100 million
 * 1) Finance
 * 2) Medical
 * 3) Energy
 * 4) Government
 * 5) Education
 * 6) Professional Services
 * 7) Non-profit
 * 8) Retail
 * 9) Manufacturing
 * 10) Hospitality and Tourism
 * 11) Other (please specify)

Which of the following sensitive data types do your Web applications process? (check all that apply)</li> a.	Names, addresses, and other personal data b.	Credit card information c.	Health care related information d.	Financial account information e.	Other (please specify) Which of the following security personnel does your organization have (check all that apply)</li> a.	A Chief Information Security Officer or other dedicated security executive on the company’s executive board. b.	A senior manager or director dedicated to security c.	Network security engineers d.	Developers dedicated primarily to security e.	An Information Security Officer who also has other responsibilities. f.	None g.	Don’t know

Approximately how many developers does your organization employ?</li> What is the approximate total number of employees in your organization?</li> How much of your development is outsourced or subcontracted?</li> a.	None b.	Only minor functions c.	Some d.	Major components are outsourced e.	Most

<li>How do you review the security of outsourced or subcontracted code?</li> a.	We don’t review the security b.	We contractually require adherence to best practice c.	We specify particular security measures d.	We do a code review e.	We require an external review

<li>Do your developers undergo software security training? (please check appropriate box)</li> a.	Yes, via an external training course b.	Yes, via internal resources c.	Yes, via certifications d.	No e.	Don’t know

<li>Do you perform background checks on developers?</li> a.	Yes b.	No

<li>Do you have internal security checkpoints during the software development life-cycle?</li> a.	Yes, at every stage of the development cycle b.	Yes, during the design phase c.	Yes, during the testing phase d.	No

<li> If you answered yes to the question on internal security review, where is the organizational responsibility for this review?</li> a.	Within the development team b.	Within the QA team c.	Within a security team d.	Within the internal audit team e.	It varies f.	Don’t know

<li>Do you perform external security reviews before deploying a Web application?</li> a.	Yes b.	No

<li>If you answered yes to the question on external security reviews, how often do you engage external security firms? (check all that apply)</li> a.	Once at the design phase b.	When making important security choices c.	Ad hoc, as needed d.	Prior to release

<li>If you answered yes to the question on external security reviews, what is the approximate annual expenditure on these reviews?</li>

<li>Does the costs of these security reviews come from: (check all that apply)</li> a.	The development budget b.	The Q&A budget c.	A security budget d.	A general budget e.	It varies f.	Don’t know

<li>What percentage of your total developer’s time is directly devoted to security activities? (code reviews, meetings, etc)</li> a.	Under 2% b.	2%-5% c.	5%-10% d.	10%-15% e.	Over 15% f.	I don’t know - we don’t measure time in that way

<li>How important is software security generally to your customers?</li> a.	Extremely important b.	Very important c.	Important d.	Not very important

<li>Does your organization produce software or systems that deal primarily with:</li> a.	Highly sensitive data b.	Somewhat sensitive data c.	Not very sensitive data d.	Depends on who is deploying it

<li>How important is Web application security to your executive management?</li> a.	Absolutely critical b.	Very important, but must be balanced against tight release deadlines. c.	Somewhat important d.	Nice to have e.	Not very important

<li>Is security a part of your marketing or branding strategy for your product?</li> a.	Yes b.	No

<li>Have you suffered a significant public security incident in the last two years?</li> a.	Yes b.	No

<li> If you answered Yes to the last question, what damage resulted from this breach? (please check all that apply)</li> <li>How do you think your organization’s security spending in 2009 will change in relation to 2008? </li>

a.	We will spend more in 2009 than 2008 b.	We will spend about the same in 2009 and 2008 c.	We will spend less in 2009 than 2008 d.	We don’t know yet how much we will spend in 2009 e.	We don’t measure security spending </ol>

Project Status
Completing the project description text and finalizing the proposed 25 survey questions.

Project Contributors
The Security Spending Benchmarks Project Leader is Boaz Gelbord (Executive Director of Information Security, Wireless Generation). Boaz can be contacted reached directly at bgelbord AT wgen.net with any questions or feedback.

<ul> <li>Jeremiah Grossman (CTO, WhiteHat Security)</li> </ul>