[WEB SECURITY] Web Application Security Professionals Survey (Dec. 2006)

Jeremiah Grossman jeremiah at whitehatsec.com
Wed Dec 6 14:02:52 EST 2006

Its been a month already since the last survey. In November we got a  
great turn out doubling the response from October. Maybe this time  
we'll reach 100 respondents. Anyway...

If you perform web application vulnerability assessments, whether  
personally or professionally, this survey is for you. 15 multiple  
choice questions designed to help us understand more about the  
industry in which we work. Most of us in InfoSec dislike taking  
surveys, however the more people who respond the more informative the  
data will be. So far the information collected has been really  
popular and insightful. And a lot of people helped out with the  
formation of these questions.

[1] Nov. 2006

[2] Oct. 2006

Blogged: http://jeremiahgrossman.blogspot.com/2006/12/web-application- 

- Open to those who perform web application vulnerability assessments/ 
- Email results to jeremiah __at__ whitehatsec.com (No need to Cc the  
mailing list)
- To curb fake submissions please use your real name, preferably from  
your employers domain.
- Submissions must be received by December 14.

Notice: Results based on data collected will be published.

Privacy Policy: Absolutely no names or contact information will be  
released to anyone. Though
feel free to self publish your answers (blogs).


1) What type of organization do you work for?
             a) Security vendor / consultant
             b) Enterprise
             c) Government
             d) Educational institution
             e) Other (please specify)

2) What portion of your job is dedicated to web application security  
(as opposed to development, general security, incident response, etc)?
	a) All or almost all
	b) About half
	c) Some
	d) None

3) How many years have you been working in the web application  
security field?
	a) Less than a year
	b) 1 - 2
	c) 2 - 4
	d) 4 - 6
	e) 6+

4) In your experience, what's the primary reason why organizations  
have web application vulnerability assessments performed?
             a) To measure how secure they are, or not
             b) Industry regulation and/or compliance
             c) Customers or partners ask for independent third-party  
             d) No idea
             e) Other (please specify)

5) How often should web applications be assessed for vulnerabilities?
             a) After every code change
             b) Annually
             c) Quarterly
             d) Before the auditors arrive
             e) Other (please specify)

6) How many web application vulnerability assessments have you  
personally conducted this year (2006)?
             a) None
             b) 1 - 20
             c) 20 - 40
             d) 40 - 60
             e) 60+

7) How many man-hours does it take you to complete a web application  
vulnerability assessment on the average website?
             a) None
             b) 0 - 20
             c) 20 - 40
             d) 60 - 80
             e) 80+

Please ONLY answer ONE of the two following questions (#8 and #9)
Commercial Vulnerability Scanners:  (Acunetix, Cenzic, Fortify,  
NTOBJECTives, Ounce Labs, Secure Software, SPI Dynamic, Watchfire, etc.)

8) If commercial vulnerability scanners ARE part of your tool chest,  
how much of your preferred assessment methodology do they complete?
	a) All or almost all
	b) Most of it
	c) About half
	d) A little bit
	e) Not much

9) If commercial vulnerability scanners are NOT part of your tool  
chest, why not?	
	a) Too many false positives
	b) Too expensive
	c) Faster to do assessments by hand
	d) Some combination of a, b, and c
	e) Haven't tried any of them
	f) Other (please specify)

10) How often do you encounter web application firewalls blocking  
your attacks during a vulnerability assessment?
	a) A lot
	b) About half of the time
	c) Sometimes
	d) Never, or almost never
	e) Hard to tell

11) While performing web application vulnerability assessment, how  
often do you encounter websites requiring multi-factor  
authentication? (Hardware token, software token, secret questions,  
one-time passwords, etc.)
	a) A lot
	b) About half of the time
	c) Sometimes
	d) Never, or almost never
	e) Hard to tell

12) If you find a vulnerability in a website you don't have written  
permission to test, what do you do with the data MOST of the time?
	a) Post it sla.ckers.org (full-disclosure)
	b) Inform the website administrators (responsible disclosure)
	c) Keep it to yourself, no sense risking jail or lawsuits
	d) Sell it
	e) Other (please specify)

12) How has the security of the average website changed this year  
(2006) vs. last year (2005)?
	a) Way more secure
	b) Slightly more secure
	c) Same
	d) Worse
	e) No idea

13) What do you think of RSnake's XSS cheat sheet.
	a) It rocks!
	b) I like it
	c) It has the basics, but there are more options
	d) Lame
	e) Never heard of it

14) Do you surf the Web with JavaScript turned off?
	a) Yes
	b) Sometimes
	c) No
	d) Only when clicking on links from Jeremiah

15) What operating system are you using to answer this question?
	a) Windows
	b) OS X
	c) Linux
	d) BSD
	e) Other (please specify)

16) The most valuable web application security tip/trick/idea/concept/ 
hack/etc you learned this year (2006)? List just 1 thing. *Full list  
will be published*

The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list