OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for...
Transcript of OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for...
![Page 1: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/1.jpg)
1
OWASP Security SpendingBenchmarks Report
Boaz Gelbord
Executive Director of Information Security, Wireless Generation
Project Leader, OWASP Security Spending Benchmarks Project
Personal Ruminations on Info Security: www.boazgelbord.com
OWASP AppSec DC Nov 13th, 2009
![Page 2: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/2.jpg)
A quick straw poll...
![Page 3: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/3.jpg)
A quick straw poll...
Does it cost more to produce a secure product than an insecure product?
![Page 4: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/4.jpg)
A quick straw poll...
Does it cost more to produce a secure product than an insecure product?
The correct answer is YES
![Page 5: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/5.jpg)
One More Question...
![Page 6: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/6.jpg)
One More Question...
Do any of you not shop somewhere/not go to a hospital/not enroll in a university because they have had a data breach?
![Page 7: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/7.jpg)
One More Question...
Do any of you not shop somewhere/not go to a hospital/not enroll in a university because they have had a data breach?
The correct answer is NO (even if you think it is YES)
![Page 8: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/8.jpg)
Hmmm...
So why do we spend on security?
And how much should we be spending?
![Page 9: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/9.jpg)
5
Security imposes extra costs on organizations.
The “security tax” is relatively well known for network and IT security - 5 to 10% (years of Gartner, Forrester, and other studies).
No comparable data for development or web apps.
Regulations and contracts usually require “reasonable measures”. What does that mean?
![Page 10: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/10.jpg)
6
20 partner organizations, many contributors.
Open process and participation.
Raw data available to community.
OWASP Security Spending Benchmarks Project
![Page 11: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/11.jpg)
![Page 12: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/12.jpg)
8
Reasons ForInvesting in Security
Technicaland Procedural
Principles
Contractual and Regulatory Compliance
Legal and Regulatory Compliance
Cost of Entry
Competitive Advantage
Incident Prevention,Risk Mitigation
SpecificActivities
and Projects
Business-need access
Minimization of sensitive data use
Security in Design and Development
Auditing and Monitoring
Defense inDepth
DLP-Type Systems
Internal ConfigurationsManagement
Credential Mgmt
Security in Development
Locking down internalpermissions
Secure Data Exchange
Network Security
Security Policy andTraining
Managed andDocumented Systems
App Security Programs
![Page 13: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/13.jpg)
9
Legal and Regulatory Compliance
Cost of Entry
Competitive Advantage
Incident Prevention,Risk Mitigation
The 10000’ View For Most Organizations
Because We Have To
Because This is What Everyone Else Does
Really?
![Page 14: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/14.jpg)
Regulations, contracts, and RFPs are usually based on the notion of “reasonable effort” - state regulations, HIPAA, FTC, SEC, Red Flags Rule.
When regulations do get technical, they focus on old school security fetishes like firewalls, SSL, encryption, biometric passes in server rooms.
Regs are Not App Sec Friendly...
![Page 15: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/15.jpg)
PCI Prioritized Approach
Massachusetts 201 CMR 17.00
The encryption exemption in state data breach notification laws
HIPAA Notification Form
Recent SEC Action
Most of the contracts/RFPs/Vendor security whitepapers I have seen...
A Few Examples
![Page 16: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/16.jpg)
Small company with a few dozen employees sells widgets over the Internet.
They pay an outsourced team to develop a Joomla/Drupal/whatever site to build a widget-lovers community where users can connect. All sorts of PII involved in the app.
They deploy their site on a shared hosting/VPS model and basically only interact with the App from a web admin interface.
They know a bit about the technical details of their app but not much. Actually, no actual web developers were really involved in the building or deployment of the app.
A Real World Example of Where Your PII Lives...
![Page 17: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/17.jpg)
Asked their developer team in India to develop code securely. Referenced OWASP Top 10 or similar list.
Told their development team that services and database users needed to run with minimum privilege. Dev team balked. Company A agreed to pay a bit extra.
Did a bit of reading on best practices for Joomla/Drupal/whatever security and tried to implement as much of this as possible. Maybe even hired someone to lock down their server.
Configured their servers so admin interfaces are only available from their IP range.
Here is What Company A Did...
![Page 18: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/18.jpg)
Installed anti-virus on all employee machines.
Bought a firewall for the corporate network.
Maybe even got two-factor tokens for network access.
Made sure everything is going over SSL everywhere.
Put a biometric reader on the entrance to the local data center.
Encrypted all laptops.
And Here is What Company B Did...
![Page 19: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/19.jpg)
One more poll question...
![Page 20: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/20.jpg)
One more poll question...
Which company is more likely to be in compliance with state laws and other regulations?
![Page 21: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/21.jpg)
One more poll question...
Which company is more likely to be in compliance with state laws and other regulations?
The correct answer is Company B
![Page 22: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/22.jpg)
And one final question...
![Page 23: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/23.jpg)
And one final question...
Which company is more likely to suffer a data breach?
![Page 24: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/24.jpg)
And one final question...
Which company is more likely to suffer a data breach?
The correct answer is Company B
![Page 25: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/25.jpg)
So the only think left to finance your app sec
program is the “reasonable spend”
argument...
![Page 26: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/26.jpg)
As a community we need to get some consensus on what constitutes reasonable spend...
![Page 27: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/27.jpg)
19
First survey focussed on general web application spending.
Second survey focussed on cloud computing.
Responses currently being gathered for third survey.
Approximately 50 companies profiled in each case.
![Page 28: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/28.jpg)
20
We do not collect IP addresses
Most of the partners are security vendors
Relatively small respondent base
Meant to stimulate a discussion on security spending benchmarks.
![Page 29: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/29.jpg)
1-1010-100
100-500500-1000
1000-50005000-50000Over 50000 8%
25%18%
6%10%
23%10%
Number of Employees
![Page 30: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/30.jpg)
Under 1 million
1 - 5 million
5 - 25 million
25- 100 million
100 - 500 million
500 million to 1 billion
Over 1 billion
Don’t know 10%
28%
8%
8%
14%
14%
8%
12%
Annual Revenue
![Page 31: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/31.jpg)
18%
8%
2%
20%10%
41%
< 2%2%-5%5%-10%10%-15%> 15%Don’t know
Percentage of Development Headcount SpentOn Security
![Page 32: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/32.jpg)
33%
9%9% 12%
24%
12%
Percentage IT Budget on Web App Security
1-5%5-10%10-20%20-50%Over 50%Don’t Know
![Page 33: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/33.jpg)
Don’t knowNever
Ad hocIn productionTesting phaseDesign phaseEvery stage 29%
29%35%
27%27%
8%10%
Security Checkpoints
![Page 34: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/34.jpg)
Don’t knowVaries
Internal auditIT security
QADevelopment 36%
21%67%
18%15%
5%
Organizational Responsibility For Security Reviews
![Page 35: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/35.jpg)
CISO/ExecutiveSenior Security Manager/Director
Network security engineersDeveloper dedicated to securityQA tester dedicated to securityISO with other responsibilities
None 12%34%
16%24%
64%60%
42%
Personnel
![Page 36: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/36.jpg)
Via an external training courseVia internal resources
NoDon’t know 14%
33%47%
25%
Provide developers with training
![Page 37: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/37.jpg)
DevelopmentQA
IT SecurityGeneral Fund
VariesDon’t Know 8%
19%23%
46%15%
42%
Budget for training costs
![Page 38: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/38.jpg)
Don’t Know17%
None 37% Some
7%
About Half7%
Most15%
All or Almost All17% All or Almost All
MostAbout HalfSomeNone Don’t Know
Percentage of Applications Organizations Defendwith Web Application Firewalls
![Page 39: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/39.jpg)
Before DeploymentTesting phaseDesign phase
Periodic ReviewWhen requested by customer
NeverDon’t Know 11%
17%24%
33%15%
39%33%
Third Party Security Reviews
![Page 40: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/40.jpg)
Don’t ReviewContractual
Internal Security Review3rd Party Review
N/ADon’t know 11%
13%38%
42%38%
9%
Ways of Reviewing Outsourced Code
![Page 41: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/41.jpg)
Organizations that have suffered a public data breach spend more on security in the development process than those that have not.
Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.
Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.
At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).
Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.
![Page 42: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/42.jpg)
![Page 43: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/43.jpg)
Sign if icant Use 5%
Mo derate Use18%
Don’t Know2%
Not Us ing but Planne d7%
Not Us ing but Inve st igat ing27%
Not Us ing an d Not Inve st igat ing41%
Not Using and Not InvestigatingNot Using but InvestigatingNot Using but PlannedDon’t KnowModerate UseSignificant Use
IaaS
![Page 44: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/44.jpg)
Sign if icant Use 5%
Mo derate Use18%
Don’t Know2%
Not Us ing but Planne d7%
Not Us ing but Inve st igat ing27%
Not Us ing an d Not Inve st igat ing41%
Not Using and Not InvestigatingNot Using but InvestigatingNot Using but PlannedDon’t KnowModerate UseSignificant Use
PaaS
![Page 45: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/45.jpg)
SaaS
Not Us ing but Inve st igat ing19%
Not Us ing an d Not Inve st igat ing19%
Don’t Know9%
Moderate Use40%
Sign if icant Use 14%
Significant Use Moderate UseDon’t KnowNot Using and Not InvestigatingNot Using but InvestigatingNot Using but Planned
![Page 46: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/46.jpg)
Don’t Know, N/A39%
Up Between 10 -20%4%
Up or Down <10%53%
Up More Than 20%4%
Up More Than 20%Up or Down <10%Up Between 10-20%Down Between 10-20%Down More Than 20%Don’t Know, N/A
SaaS - Spending Changes on Network Security
![Page 47: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/47.jpg)
SaaS Spending Changes - Third Party Security Reviews
Don’t Know, N/A26%
Down Between 10 -20%4%
Up More Than 20%4%
Up Between 10 -20%26%
Up or Down <10%39%
![Page 48: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/48.jpg)
Don’t Know, N/A35%
Down Between 10 -20%9%
Up or Down <10%56%
Up or Down <10%Up Between 10-20%Up More Than 20%Down Between 10-20%Down More Than 20%Don’t Know, N/A
SaaS Spending Changes - Security Personnel
![Page 49: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/49.jpg)
Up Between 10 -20%9%
Don’t Know, N/A35%
Down Between 10 -20%9%
Up or Down <10%48%
Up or Down <10%Up More Than 20%Down Between 10-20%Down More Than 20%Don’t Know, N/AUp Between 10-20%
SaaS Spending Changes - Identity Management
![Page 50: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/50.jpg)
Inquire About Issue With Third Party
Compliance
Data Location
Data Segregation
Encryption
Disaster Recovery
Internal Security Policies 35%
31%
29%
29%
34%
39%
53%
49%
54%
40%
51%
44%
Yes Yes- Require Documentation
![Page 51: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/51.jpg)
Concerns with Cloud Computing
No Concerns
Doesn’t Make Business Sense
Reliabilitiy, SLA, and Availability
Legal and Compliance Concerns
Getting Locked Into Provider
Risk of Undetected Data Breach
Risk of Public Data Breach62%
67%
27%
41%
44%
15%
12%
58%
71%
29%
52%
58%
23%
3%
62%
69%
17%
45%
55%
24%
3%
IaaS PaaS SaaS
![Page 52: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/52.jpg)
Level of Understanding Cloud Computing
SOX
US State Regulations
HIPAA
PCI15%
30%
33%
21%
42%
24%
21%
30%
24%
6%
15%
21%
18%
39%
30%
27%
Low Understanding Medium UnderstandingHigh Understanding Don’t Know or N/A
![Page 53: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/53.jpg)
Cloud Summary
•Software-as-a-Service is in much greater use than Infrastructure-as-a-Service or Platform-as-a-Service.
•Security spending does not change significantly as a result of cloud computing
•Organizations are not doing their homework when it comes to cloud security.
•The risk of an undetected data breach is the greatest concern with using cloud computing, closely followed by the risk of a public data breach.
•Compliance and standards requirements related to cloud computing are not well understood.
![Page 54: OWASP Security Spending Benchmarks Report...Did a bit of reading on best practices for Joomla/Drupal/ whatever security and tried to implement as much of this as possible. Maybe even](https://reader034.fdocuments.us/reader034/viewer/2022042708/5f3d019e50c0c547fd0f3ba1/html5/thumbnails/54.jpg)
Currently collecting responses for the third survey.
Partners assist in promoting survey, analyzing results, and providing strategic input.
Current status of project can always be found on OWASP website.
New partners are always welcome.