Friday, July 25, 2008

Results: Web Application Security Professionals Survey (July 2008)

The survey concluded this morning with a simply amazing turn out! A total of 340 respondents -- well over double the previous. Thank you to everyone who helped get the word and of course to those taking the time to fill out the form. This information is invaluable. Since there were so many responses, and hence comments, I’m only able to post the report graphs below. The full report containing all the comments, probably the best part, is available for download (xls). The upside of so much data is I was also able to run reports on people classifying themselves as “Security vendor / consultant”, “Enterprise security professional”, and “Developers” individually to see how they differed, if at all. If you want to the entire package of reports, here ya go. Big hat tip to Robert “RSnake” Hansen for the bandwidth.

And now for my interpretation of the results…

Question #1 – 3
Shows that we have a nicely diverse set of individuals with varying backgrounds and years of experience. It looks like I should have had more granular answer options for Q2 though, note for next time.

Question #4
In the matter of browser security I figured just about everyone is using something above and beyond a default install, which is just plain crazy now days and the results confirmed. What astonished me though is the percentage of people across the range using virtualization, roughly 25%! Think about this. 1 in 4 web security people assume their browser and/or OS has a high likelihood of getting owned. Military intelligence, congressional ethics, browser security.

Question #5
In retrospect I should have asked a better PCI-DSS related question, the answers were unsurprising. People in the certain business sectors were influenced by PCI-DSS when it applied to them and they weren’t when it didn’t. What I really want to know is what ARE the driving factors behind why organizations are investing in web application security. I’ll try to figure out a better way to get to that answer set.

Question #6
These answers I found to be really interesting because they were split roughly down the middle and the comments were all over the map. Clearly there is no widely accepted view of what security means in the Web 2.0 software development era. We’re still trying to figure things out and convince ourselves that we have the right answer. Or that someone does. I think there is a lot still to be learned in this particular area and I plan to ask more questions on the topic going forward. This also might be an area where we should bring individual experts and practitioners to together to discuss the various issues.

Question #7
I purposely kept the term “vulnerability scanner” vague to see how they performed as an entire category. It doesn’t appear that vulnerability scanners have improved much or at least peoples impressions of them since the last survey. They performed dismally in Web 2.0 technologies including Ajax, Flash, and Web services. What surprised me is how well the scanners performed in the persistent XSS category, on par with the non-persistent. I can’t say I agree, but it is what it is. Could be an artifact that people don’t understand the difference and figure if the tool didn’t find it that its not there. The other interesting thing is that developers have a better opinion of scanners than security vendors and enterprise professionals.

I plan on digging into this area even more in the future and separate out scanner types, asking for product names, and overall impressions.

Question #8
I was fairly impressed with these results. 1/3 of the respondents said they’d either recommend a WAF, already have a WAF, or had a WAF on the road map. Then half of everyone said they were “Skeptical, but open minded” as compared to a sparse 15% expressing a level of negativity. This should be a huge market indicator for WAF vendors, industry analysts, VARs, and systems integrators. That 50% category represents a huge opportunity to demonstrate a WAFs value and long-term viability. In the next year we’ll know which way the trend is heading.

Question #9
Cmon, I had to poke a little fun at RSnake. I mean you gotta know web security is becoming mainstream when you can’t automatically win an online Chihuahua beauty contest poll in Austin without getting out haxored at the last second. ;)

Question #10
OK, that settles it. Web security people have little to no respect for McAfee’s HackerSafe brand and even that’s putting it mildly if you read the comments. I was confused on what the large “other” responses wanted for an option though. There is also a quite unnerving statistic with developers as their answers were split in thirds. Could it be that 1/3 of developers believe HackerSafe means security?

Question #11
And there we have it, web security people don’t trust Google, roughly 75% of them anyway. The kicker is most still use them in some way or form anyway. Maybe in many ways we are just like the average user. We’ll tend to sacrifice security for convenience just like they do.

Question #12

Some like the idea, some hate it, and others have a love-hate relationship. Either way it appears there’s enough people interested in a certification that its time for someone to do it and do it well. Sooner or later there will be 1 or perhaps 2 industry acceptable certifications. Who will it be!? Probably the first one to do it right will.

Question #13

The answers were all over the map and I don’t think I asked this question in the best way. Still the majority of C-level executives are at least giving the web security problem a good look. What I’d really like to know, similar to question #5, is what exactly is causing people to care and dedicate more resources. Maybe it’s an incident, industry regulation, keeping up with the jones, who knows! I aim to find out.

Question #14
80% of us figured the industry noise was tolerable or we’ve become number to it. The rest, well, they are not long for the industry anyway. You must get used to it or you’ll go crazy, maybe some of us already have.

Question #15
Who’s winning? Few think it’s the good guys. What more can we say here but that this is really sad and we have our work cut out for us.

Question #16

The forced ranked list. Some were close in the center, but this is what we got. Awareness is still a HUGE issue and I tend to agree.

1) General awareness and education
2) Implementation of an security inside the SDLC
3) Source code analysis
4) Black-box vulnerability assessment / pen-testing
5) Web application firewalls
6) Enforcing industry regulation

Question #17
Read the comments, it’s worth it. :)


Yousif Yalda said...

I don't see my comment about HackerSafe on there, why'd you remove it?

Christian "@xntrik" Frichot said...

Interesting comments with regard to the take up of PCI in Australia. Not surprising though :)

dre said...

@ christian:

yes, the comments on the PCI-DSS question, especially EU and AU -- were very interesting.

i was also interested in the comment: "We (a University) don't seem to know/care about PCI-DSS. We use a third-party product for accepting payments by card."

certainly universities have to deal with audits -- GLBA if not PCI-DSS. state-funded colleges have audits performed by the state government, usually via performance audits from the office of an auditor general. i'd be curious to hear more from this particular commenter.

in the "agile vs. web 2.0" question (these probably should have been separate questions), about 4 of the people who commented thought that agile was sometihng negative towards security. the other 50 or so thought that agile was positive.

Anonymous said...

Safe for hackers! Ha ha, love it

Anonymous said...

Seems to be a small mistake in the image for #16, column 6 has two bold entries while column 5 has none.

Anonymous said...

haha... great comment.. this is great for hackers

Anonymous said...


I think the bold just means the highest count for that row. So in a forced ranking question, 2 different rows can have the same option as their most common choice.