[WEB SECURITY] Web Application Security Professionals Survey (May 2007)
Jeremiah Grossman
jeremiah at whitehatsec.com
Mon May 7 13:23:34 EDT 2007
blogged:
http://jeremiahgrossman.blogspot.com/2007/05/web-application-security-
professionals.html
Several people have asked where the surveys have gone to in the past
several months. The answer is that I've been amazingly busy the last
couple of months and simply haven't had the time. The survey helps us
learn more about the web application security industry and the
community participants. We attempt to expose various aspects of web
application security we previously didn't know, understand, or fully
appreciate. From time to time I'll repeat some questions to to
develop trends. And as always, the more people who submit data, the
more representative the will be. Please feel free to forward this
email along to anyone that might not have seen it.
Guidelines
- Survey is open to anyone working in or around the web application
security field
- Answer the questions in-line and if a question doesn’t apply to
you, leave it blank
- Comments in relation to any question are welcome. If they are good,
they may be published
- Email results to jeremiah __at__ whitehatsec.com
- To curb fake submissions please use your real name, preferably from
your employers domain
- Submissions must be received by May 14, 2007
Publishing & Privacy Policy
- Results based on aggregate data collected will be published
- Absolutely no names or contact information will be released to
anyone, though feel free to self publish your answers anywhere
Last Survey Results January 2007:
http://jeremiahgrossman.blogspot.com/2007/01/web-application-security-
professionals.html
Questions
1) What type of organization do you work for?
a) Security vendor / consultant
b) E-Commerce
c) Healthcare
d) Financial
e) Government
f) Educational institution
g) Other (please specify)
2) From your experience, how many web developers "get" web
application security?
a) All or almost all
b) Most
c) About half
d) Some
e) None or very few
3) What is your technical understanding of DNS-Pinning and Anti-DNS-
Pinning?
a) Strong
b) Some familiarity
c) I've heard of these
d) Eh?
4) Do you click on links sent in email?
a) Never
b) Sometime
c) Always, I fear no link
5) Your recommendation about using web application firewalls?
a) Two thumbs up
b) One thumb up
c) Thumbs down
d) Profane gesture
e) No Answer
6) From your experience, what is the typical risk level of Response
Splitting exploitability?
a) High
b) Medium
c) Low
7) How has the security of the average website changed in the last 12
months?
(Take into consideration new attack techniques and defense measures)
a) Way more secure
b) Slightly more secure
c) Same
d) Worse
e) No idea
8) Do you plan to attend BlackHat Vegas of Defcon this year?
a) Yes
b) No
c) Maybe
9) Are hacking contests, like Hack a Mac at CanSecWest, a good idea
security-wise for the industry?
a) Yes
b) No
c) Somewhere in between (please describe: 1-2 sentences)
10) What is your stage of web application security grief?
(http://jeremiahgrossman.blogspot.com/2007/03/5-stages-of-web-
application-security.html)
a) Denial
b) Anger
c) Bargaining
d) Depression
e) Acceptance
11) What is the most secure website industry vertical you encounter
during vulnerability assessments?
a) Financial
b) E-Commerce
c) Healthcare
d) Government
e) Adult Entertainment
f) Gaming/Gambling
g) Don't know
h) Other (please specify)
12) From your experience, what development technology is present in
the most secure websites?
a) PHP
b) Java
c) ASP Classic
d) .Net
e) Cold Fusion
f) Perl
g) Don't know
h) Other (please specify)
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list