[WEB SECURITY] Web Application Security Professionals Survey (May 2007)

[Jeremiah Grossman <jeremiah@xxxxxxxxxxxxxxx>]

blogged:
http://jeremiahgrossman.blogspot.com/2007/05/web-application-security- 
professionals.html


Several people have asked where the surveys have gone to in the past  
several months. The answer is that I've been amazingly busy the last  
couple of months and simply haven't had the time. The survey helps us  
learn more about the web application security industry and the  
community participants. We attempt to expose various aspects of web  
application security we previously didn't know, understand, or fully  
appreciate.  From time to time I'll repeat some questions to to  
develop trends. And as always, the more people who submit data, the  
more representative the will be. Please feel free to forward this  
email along to anyone that might not have seen it.

Guidelines
- Survey is open to anyone working in or around the web application  
security field
- Answer the questions in-line and if a question doesn’t apply to  
you, leave it blank
- Comments in relation to any question are welcome. If they are good,  
they may be published
- Email results to jeremiah __at__ whitehatsec.com	
- To curb fake submissions please use your real name, preferably from  
your employers domain
- Submissions must be received by May 14, 2007

Publishing & Privacy Policy
- Results based on aggregate data collected will be published
- Absolutely no names or contact information will be released to  
anyone, though feel free to self publish your answers anywhere

Last Survey Results January 2007:
http://jeremiahgrossman.blogspot.com/2007/01/web-application-security- 
professionals.html

Questions

1) What type of organization do you work for?
	a) Security vendor / consultant
	b) E-Commerce
	c) Healthcare
	d) Financial
	e) Government
	f) Educational institution
	g) Other (please specify)

2) From your experience, how many web developers "get" web  
application security?
	a) All or almost all
	b) Most
	c) About half
	d) Some
	e) None or very few

3) What is  your technical understanding of DNS-Pinning and Anti-DNS- 
Pinning?
	a) Strong
	b) Some familiarity
	c) I've heard of these
	d) Eh?

4) Do you click on links sent in email?
	a) Never
	b) Sometime
	c) Always, I fear no link

5) Your recommendation about using web application firewalls?
	a) Two thumbs up
	b) One thumb up
	c) Thumbs down
	d) Profane gesture
	e) No Answer

6) From your experience, what is the typical risk level of Response  
Splitting exploitability?
	a) High
	b) Medium
	c) Low

7) How has the security of the average website changed in the last 12  
months?
(Take into consideration new attack techniques and defense measures)
	a) Way more secure
	b) Slightly more secure
	c) Same
	d) Worse
	e) No idea

8) Do you plan to attend BlackHat Vegas of Defcon this year?
	a) Yes
	b) No
	c) Maybe

9) Are hacking contests, like Hack a Mac at CanSecWest, a good idea  
security-wise for the industry?
	a) Yes
	b) No
	c) Somewhere in between (please describe: 1-2 sentences)

10) What is your stage of web application security grief?
(http://jeremiahgrossman.blogspot.com/2007/03/5-stages-of-web- 
application-security.html)
	a) Denial
	b) Anger
	c) Bargaining
	d) Depression
	e) Acceptance

11) What is the most secure website industry vertical you encounter  
during vulnerability assessments?
	a) Financial
	b) E-Commerce
	c) Healthcare
	d) Government
	e) Adult Entertainment
	f) Gaming/Gambling
	g) Don't know
	h) Other (please specify)

12) From your experience, what development technology is present in  
the most secure websites?
	a) PHP
	b) Java
	c) ASP Classic
	d) .Net
	e) Cold Fusion
	f) Perl
	g) Don't know
	h) Other (please specify)






----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]