OWASP Security Spending Benchmarks reports available

This project is motivated by the fact that:

• There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.
• Spending on security helps mitigate risks whose potential costs are often difficult to quantify, thereby making justifying and obtaining security budgets difficult.
• Many business initiatives require organizations to take “reasonable measures†and “adhere to best practices†for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.
• Smaller organizations outside of highly regulated industries purchase and deploy Web applications with no realistic ability to evaluate their security program.
• Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.

The survey was formulated with the help of our project partners to address the following questions and many others:

• What percentage of a Web application development groups headcount is dedicated towards security?
• How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?
• Where do Web application security budget come from?
• How much budget is allocated towards security education?

For more information about OWASP France. Please contact Sebastien Gioria & Ludovic Petit