[WEB SECURITY] *Results* Web Application Security Professionals Survey (Dec. 2006)

Jeremiah Grossman jeremiah at whitehatsec.com
Thu Dec 14 15:26:47 EST 2006


Results have been posted.
http://jeremiahgrossman.blogspot.com/2006/12/web-application-security- 
professionals.html

Once again a great survey turn out. A total of 63 respondents. Thank  
you everyone whom responded and those who helped me out with the  
questions. We didn't reach my 100 prediction, but that's OK because  
I'm not very good at those anyway. :) We'll try to get there in January.

Regards,

Jeremiah Grossman
Chief Technology Officer
WhiteHat Security, Inc.
http://www.whitehatsec.com/


On Dec 6, 2006, at 11:02 AM, Jeremiah Grossman wrote:

> Its been a month already since the last survey. In November we got  
> a great turn out doubling the response from October. Maybe this  
> time we'll reach 100 respondents. Anyway...
>
> If you perform web application vulnerability assessments, whether  
> personally or professionally, this survey is for you. 15 multiple  
> choice questions designed to help us understand more about the  
> industry in which we work. Most of us in InfoSec dislike taking  
> surveys, however the more people who respond the more informative  
> the data will be. So far the information collected has been really  
> popular and insightful. And a lot of people helped out with the  
> formation of these questions.
>
> [1] Nov. 2006
> http://jeremiahgrossman.blogspot.com/2006/11/web-application- 
> security-professionals.html
>
> [2] Oct. 2006
> http://jeremiahgrossman.blogspot.com/2006/10/web-application- 
> security-professionals.html
>
>
> Blogged: http://jeremiahgrossman.blogspot.com/2006/12/web- 
> application-security-professionals.html
>
> ================================================================
> Guidelines:
> - Open to those who perform web application vulnerability  
> assessments/pen-tests
> - Email results to jeremiah __at__ whitehatsec.com (No need to Cc  
> the mailing list)
> - To curb fake submissions please use your real name, preferably  
> from your employers domain.
> - Submissions must be received by December 14.
>
> Notice: Results based on data collected will be published.
>
> Privacy Policy: Absolutely no names or contact information will be  
> released to anyone. Though
> feel free to self publish your answers (blogs).
> ================================================================
>
> Questions:
>
> 1) What type of organization do you work for?
>             a) Security vendor / consultant
>             b) Enterprise
>             c) Government
>             d) Educational institution
>             e) Other (please specify)
>
> 2) What portion of your job is dedicated to web application  
> security (as opposed to development, general security, incident  
> response, etc)?
> 	a) All or almost all
> 	b) About half
> 	c) Some
> 	d) None
>
> 3) How many years have you been working in the web application  
> security field?
> 	a) Less than a year
> 	b) 1 - 2
> 	c) 2 - 4
> 	d) 4 - 6
> 	e) 6+
>
> 4) In your experience, what's the primary reason why organizations  
> have web application vulnerability assessments performed?
>             a) To measure how secure they are, or not
>             b) Industry regulation and/or compliance
>             c) Customers or partners ask for independent third- 
> party validation
>             d) No idea
>             e) Other (please specify)
>
> 5) How often should web applications be assessed for vulnerabilities?
>             a) After every code change
>             b) Annually
>             c) Quarterly
>             d) Before the auditors arrive
>             e) Other (please specify)
>
> 6) How many web application vulnerability assessments have you  
> personally conducted this year (2006)?
>             a) None
>             b) 1 - 20
>             c) 20 - 40
>             d) 40 - 60
>             e) 60+
>
> 7) How many man-hours does it take you to complete a web  
> application vulnerability assessment on the average website?
>             a) None
>             b) 0 - 20
>             c) 20 - 40
>             d) 60 - 80
>             e) 80+
>
> Please ONLY answer ONE of the two following questions (#8 and #9)
> Commercial Vulnerability Scanners:  (Acunetix, Cenzic, Fortify,  
> NTOBJECTives, Ounce Labs, Secure Software, SPI Dynamic, Watchfire,  
> etc.)
>
> 8) If commercial vulnerability scanners ARE part of your tool  
> chest, how much of your preferred assessment methodology do they  
> complete?
> 	a) All or almost all
> 	b) Most of it
> 	c) About half
> 	d) A little bit
> 	e) Not much
>
> 9) If commercial vulnerability scanners are NOT part of your tool  
> chest, why not?	
> 	a) Too many false positives
> 	b) Too expensive
> 	c) Faster to do assessments by hand
> 	d) Some combination of a, b, and c
> 	e) Haven't tried any of them
> 	f) Other (please specify)
>
> 10) How often do you encounter web application firewalls blocking  
> your attacks during a vulnerability assessment?
> 	a) A lot
> 	b) About half of the time
> 	c) Sometimes
> 	d) Never, or almost never
> 	e) Hard to tell
>
> 11) While performing web application vulnerability assessment, how  
> often do you encounter websites requiring multi-factor  
> authentication? (Hardware token, software token, secret questions,  
> one-time passwords, etc.)
> 	a) A lot
> 	b) About half of the time
> 	c) Sometimes
> 	d) Never, or almost never
> 	e) Hard to tell
>
> 12) If you find a vulnerability in a website you don't have written  
> permission to test, what do you do with the data MOST of the time?
> 	a) Post it sla.ckers.org (full-disclosure)
> 	b) Inform the website administrators (responsible disclosure)
> 	c) Keep it to yourself, no sense risking jail or lawsuits
> 	d) Sell it
> 	e) Other (please specify)
>
> 12) How has the security of the average website changed this year  
> (2006) vs. last year (2005)?
> 	a) Way more secure
> 	b) Slightly more secure
> 	c) Same
> 	d) Worse
> 	e) No idea
>
> 13) What do you think of RSnake's XSS cheat sheet.
> http://ha.ckers.org/xss.html	
> 	a) It rocks!
> 	b) I like it
> 	c) It has the basics, but there are more options
> 	d) Lame
> 	e) Never heard of it
>
> 14) Do you surf the Web with JavaScript turned off?
> 	a) Yes
> 	b) Sometimes
> 	c) No
> 	d) Only when clicking on links from Jeremiah
>
> 15) What operating system are you using to answer this question?
> 	a) Windows
> 	b) OS X
> 	c) Linux
> 	d) BSD
> 	e) Other (please specify)
>
> BONUS
> 16) The most valuable web application security tip/trick/idea/ 
> concept/hack/etc you learned this year (2006)? List just 1 thing.  
> *Full list will be published*
>
>
>
>
>
> ---------------------------------------------------------------------- 
> ------
> The Web Security Mailing List:http://www.webappsec.org/lists/ 
> websecurity/
>
> The Web Security Mailing List Archives:http://www.webappsec.org/ 
> lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list