Industry:GIC CISO Survey 2013
2013 Application Security Survey - Draft
Page 1. Introduction
Thank you for taking the time to participate in the second annual CISO Global Application Security Survey (GASS), created by the Open Web Application Security Project (OWASP).
There is no question that application security has become a serious concern in almost every industry. We created this survey to provide you with an opportunity to compare your organization with others on important application security issues and gain insights for making key decisions.
The GASS questionnaire consists of 17 questions concerning application security. They relate to investments and challenges, threats and risks, tools and technology, and governance and control within your organization. Your participation in responding to this questionnaire should require less than 20 minutes of your time.
At the conclusion of the survey, the combined results will be publicly available on the owasp.org website. And no identifiable individual responses collected in this questionnaire will be disclosed in the published survey report.
Page 2. Instructions
All responses in this survey are optional, but for the completeness of the report, please try to respond to all questions in the questionnaire. Please feel free to add additional information and views from colleagues in your organization.
Deadline for submission of the completed survey is 31 January, 2013.
Thank you for your participation!
Page 3. Threats and Risks
1. Given the current threat landscape and economic environment, do you perceive a change in the threats facing your organization? (choose all that apply) [1-3, increase, same, decrease, don't know) External attacks or fraud(e.g., phishing, website attacks) Internal attacks or fraud (e.g., abuse of privileges, theft of information) No changes noted
2. Targeting (Infrastructure vs. Applications): In the your current threat lanscape, what are the main areas of risk for your organisation in % out of 100% in total: Infrastructure % Application % Other %
3. Compared to 12 months ago, do you see a change in these areas: [1-3, increase, same, decrease, don't know) Infrastructure Application Other
Page 4. Threats and Risks (continued)
4. From the following list, which are the top five sources of application security risk within your organization? (Please mark your top area of risk with a "1," your second with a "2," your third with a "3," your fourth with a "4," and your fifth with a "5") Insecure source code development Lack of awareness of application security issues within the organization Poor/inadequate testing methodologies Poor change control and version control procedures Lack of budget to support application security initiatives Poor deployment and configuration Programs and projects (e.g., budget overruns, delays, poor quality) Staffing (e.g., lack of security skills within team) Third-party suppliers and outsourcing (e.g., lack of security, lack of assurance) Other (please specify)
5. Regarding your top five areas of application security risk (above), which of the following statements best describes your organization's planned investment in these areas in the coming 12 months? (choose one) Increasing level of investment planned Decreasing level of investment planned Relatively constant level of investment planned
Page 5. Investments and Challenges
6. Which of the following statements best describes your organization's annual investment in application security? (choose one) o Increasing as a percentage of total expenditures o Decreasing as a percentage of total expenditures o Relatively constant as a percentage of total expenditures
7. Is your organization spending more on application security in response to a breach or security incident related to a web application? (choose one) Yes No
Page 6. Investments and Challenges (continued)
8. Please indicate your top five application security priorities for the coming 12 months from the following list. (Specify your top 5 priorities, marking your top priority with a "1," your second priority with a "2," etc.)
Application layer vulnerability management technologies and processes Code review (static analysis of source code to find security defects) Compliance with regulatory requirements (PCI-DSS, FISMA, etc.) Deployment of application security infrastructure (such as web application firewalls) Recruiting and retaining qualified application security resources Secure development lifecycle processes (e.g., secure coding, QA process) Security assurance for Cloud-based (SaaS, IaaS, PaaS, …) software purchased by your organization Security assurance for COTS (commercial off-the-shelf) purchases by your organization Security assurance for software developed by 3rd parties (outsourcing) Security awareness and training for developers Security metrics and reporting Security testing of applications (penetration testing) Security testing of applications (dynamic analysis, runtime observation) Others (please specify)
Page 7. Relevance of OWASP
9. Which of the following OWASP projects has your organization found useful? (choose all that apply) [1-3, very useful, somewhat useful, not useful for us, don't know it] AntiSammy Application Security FAQ Application Security Verification Standard (ASVS) AppSensor Cheatsheets CISO Guide Code Review Guide Development Guide ESAPI (Enterprise Security API) JBroFuzz Legal Project LiveCD/WTE ModSecurity Core Ruleset O2 OWASP Top-10 Ruby on Rails Security Guide Secure Coding Practices Quick Reference Software Assurance Maturity Methodology (openSAMM) Testing Guide Webgoat WebScarab None. I am not familiar with any OWASP Projects. Other (please explain)
Page 8. Relevance of OWASP (continued)
10. What is the level of significance of OWASP guidance, books and white papers within your organization?
(Scale of 1-5, where 1 is the "least significant" and 5 is the "most significant")
Awareness material (e.g. Top-10) Application development policy Code development guidelines Reference to leading practice Testing methodologies
Page 9. Challenges for Application Security
11. What is the level of challenge related to effectively delivering your organization's application security initiatives for each of the following?
(Scale of 1-5, where 1 is "not a challenge" and 5 is "significant challenge")
Not a Challenge Significant Challenge
Adequate budget Availability of skilled resources Business uncertainty Justifying business case Conflicting business requirements Emerging technologies (e.g., application vulnerability scanners, web application firewalls) Level of security awareness by the developers Management awareness and sponsorship Organizational change Regulatory change or uncertainty Others (please specify)
Page 10. Tools and Technology
12. Does your organization use any specific technology tools to support the application security management process? Yes No
13. Which of the following technology tools does your organization use? (choose all that apply) Web application firewalls Source code analyzers (e.g., Fortify SCA, IBM AppScan Source Edition) Runtime analyzers (e.g., Fortify PTA) Saas Web Application Vulnerability Scanners (e.g., WhiteHat Sentinel, Qualys WAS) Desktop Web Application Vulnerability Scanners (e.g., Acunetix IBM AppScan, HP WebInspect, Burp Scanner, Nessus) Other (please specify)
14. Which of the following have been implemented or are planned to be implemented by your organization to provide application security capability? (choose all that apply)
Currently implemented Planned within 12-18 months No plans to implement
Web application firewalls Source code analyzers Runtime analyzers Saas Web Application Vulnerability Scanners Desktop Web Application Vulnerability Scanners Other (please specify other below):
Page 11. Tools and Technology (continued)
15. What types of security testing (e.g., penetration testing) will be performed at your organization over the next year? (choose all that apply) Application layer focused attack and penetration Application layer focused scanning Application security code reviews Application configuration reviews External network attack and penetration External network vulnerability scanning Host-based configuration reviews Internal network attack and penetration Internal network vulnerability scanning Phishing-based social engineering assessments Phone-based social engineering assessments Physical-based social engineering assessments Wireless network attack and penetration Other (please specify)
Page 12. Governance and Control
16. Does your organization have a documented application security strategy? Yes No
17. For how long does this application security strategy plan ahead? 3 months, 6 months, 1 year, 2 years, 3 years, 5 years+
18. Your application security strategy: (choose all that apply) ...has been reviewed and updated within the past 12 months ...is aligned with, or integrated into, the organization's business strategy ...is aligned with, or integrated into, the organization's IT strategy ...outlines our key security activities for the next 12 months
Page 13. Governance and Control (continued)
19. Which of the following statements best describes your organization's application security strategy in regards to the risks associated with the increased use of social networking, personal devices, or cloud computing? (choose one) Our current application security strategy adequately addresses the risks We need to modify our strategy to address the new risks We need to investigate further to understand the risks We do not see any new or increased risks associated with these technologies
20. Has your organization implemented an Application Security Management System (ASMS) or Maturity Model (e.g., OWASP SAMM) that covers overall management of application security? (choose one) Yes, implemented and formally certified/verified by a third party Yes, without verification Yes, currently in the process of implementing No, but considering it No, and not considering it
Page 14. Governance and Control (continued)
21. From the following list of application security standards or frameworks, which are used by your organization? (choose all that apply) BSIMM Capability Maturity Model Integration (CMMI) CLASP CobIT COSO Information Security Forum's (ISF) Standard of Good Practice Information Technology Infrastructure Library (ITIL) ISO/IEC 27001:2005 27002:2005 MS SDL NIST Handbooks (e.g., the "800 Series") Octave OWASP SAMM PCI DSS Other (please specify)
Page 15. Governance and Control (continued)
22. How does your organization assess the quality and effectiveness of application security? (choose all that apply) Internal self assessments by IT or application security function Assessments performed by other internal function Assessment by external party/third party Formal certification to external security standards Formal certification to industry security standards (e.g., Payment Card Industry Data Security Standard) Code review and metrics No assessments performed
23. How do you verify that your external partners, service providers or contractors are protecting your organization's information from an application security standpoint? (choose all that apply) Assessments performed by your organization's application security, procurement or internal audit function (e.g., site visits, security testing) Independent external assessments of partners, vendors or contractors Self assessments or other certifications performed by partners, vendors, or contractors No reviews or assessments performed
Page 17: Wishes and suggestions
And last but not least, all your feedback is very important to us and the community is continuously striving to improve. If you could wish freely, what kind of OWASP project, guidance or tool would you like to see in the future that could really improve your daily life and operation around web and application security?
Page 18. This Completes the Survey
This completes the survey. We would appreciate just a few personal and professional details so that we can better relate the data to industry and type of organisations. This will also provide you an opportunity to leave your contact information if you would like us to follow up with you regarding the survey results. Once again, all responses are optional. Yes, I am willing to take a couple more minutes to assist with survey benchmarking. No, I prefer to exit the survey at this point.
Page 19. Optional: Participant Information
Name of person completing survey: (optional) Email address: (optional) Title of delegate completing survey: Chief Operating Officer Chief Information Officer Chief Application Security Officer Chief Security Officer Chief Privacy Officer Chief Compliance Officer Chief Technology Officer Chief Risk Officer Business Unit Executive/Vice President Information Technology Executive Application Security Executive Network/System Administrator Internal Audit Director/Manager Other: (please specify)
Page 20. Organization Information
Organization name: (optional) Country: Ownership: (choose one) Public - traded on stock exchange Private - not traded on stock exchange Government or non-profit
Total number of employees: (choose one) Less than 1,000 1,000 to 9,999 10,000 to 49,999 50,000 to 100,000 More than 100,000
Annual revenue (in USD): (choose one) Less than $100 million $100 million to $249 million $250 million to $499 million $500 million to $999 million $1 billion to $9 billion $10 billion to $24 billion More than $24 billion Not applicable
Industry: (choose one) Aerospace and Defense Airlines Asset Management Automotive Banking & Capital Markets Chemicals Consumer Products Government & Public Sector Insurance Media & Entertainment Mining & Metals Oil & Gas Power & Utilities Professional Firms & Services Real Estate Retail & Wholesale Technology Telecommunications Transportation Other: (please specify)
Page 21. Thank You
Thank you again for your time and considering in completing this survey. Please contact Tobias Gondrom at email@example.com with any questions or comments regarding the contents of this survey.