Two weeks ago I sent out an informal email survey to several dozen people I know in the web application security professional services business. People from large and small organizations who regularly perform penetration tests, vulnerability assessments, train others in secure software development, write articles and whitepapers, release tools, etc. In short, the “experts”. The questions were intended to shed more light on the industry from those who live and breathe webappsec every day. Of the pool of 40, I received 21 responses, and the results are interesting. The data set is small, so be careful reading too deeply into the results.
Thanks again to all those who took the time to fill out the survey. I got a lot of informative comments in addition to the answers. It would be insightful for readers to know the names/organizations of those polled, including what their comments were. But I promised not to release their personal information. However, they themselves are more than welcome to re-post their thoughts and comments.
1) How many web application security assessments will you perform in 2006?
a) None (0%)
b) 1 - 10 (0%)
c) 10 - 25 (57%)
d) 25 - 50 (29%)
e) 50+ (14%)
2) What vulnerability reporting standard do you utilize most often?
a) Web Security Threat Classification (WASC) (14%)
b) OWASP Top Ten (0%)
c) Common Vulnerabilities and Exposures (CVE) (10%)
d) Proprietary (57%)
e) Other (19%)
3) Do you use commercial web application vulnerability scanners during security assessments?
(SPI Dynamic's WebInspect, Cenzic's Hailstorm, Watchfire's AppScan, Acunetix Web Vulnerability Scanner)
a) Never (71%)
b) Sometimes (24%)
c) 50/50 (0%)
d) Most of the time (0%)
e) Religiously (5%)
4) Average number of man-hours required to perform a thorough web application vulnerability assessment on the average commerce website?
a) None (0%)
b) 0 - 10 (5%)
c) 10 - 25 (10%)
d) 25 - 40 (0%)
e) 40+ (86%)
5) Do you recommend Web Application Firewalls?
(ModSecurity, Imperva's SecureSphere, NetContinuum's NC-1100, Citrix Application Firewall, etc.)
a) Yes (14%)
b) No (10%)
c) Sometimes (76%)
6) What do you think about the updated PCI Data Security Standard v1.1?
a) Huh? (0%)
b) It's stupid and means nothing to me (0%)
c) Step in the right direction (57%)
d) Great for the web application security industry! (0%)
e) Other (43%)
7) Checking for XSS on public websites without permission?
a) Legal (24%)
b) Legal, but unethical (19%)
c) Illegal (10%)
d) Don't know (Grey area) (48%)