Fortify Software

Fortify Software

Home » Security Benchmarking Assessment

Security Benchmarking Assessment

This survey will take about 10 minutes. All participants will be e-mailed a personalized report that not only assesses your company's application security performance, but also compares performance to that of your industry peers.

RESPONDENT DETAILS *(all fields in this section required)
Organization name *
Respondent name *
Job title *   
Email address *
Phone number *
Address *
Geography *
Organization size *
Revenues *   Dollars  Euros 
Industry *  
1. QUALIFICATION
1.1 Does your company develop software applications, provide access over the internet to internally managed applications or do any software code development internally?
Yes   No
2. BUSINESS ISSUES
2.1 How important is in-house software development to your organization?
Business critical-the majority of our capability hinges on in-house code 
Important-we use external apps and use internal code for interoperability 
Moderate-the additional code we provide gives us differentiation 
Of minor importance 
We really should be looking to minimize our internal code development 
2.2 Has reliance on software development increased over the past few years?
Increased 
Remained the same 
Decreased 
2.3 Does your company outsource any of its application development to a third party/ies?
> 80% 
60%-80% 
40%-59% 
20%-39% 
< 20% 
No 
2.4 From the following list, which are the three major regulations with which your business must comply?
Basel II 
Sarbanes-Oxley 
PCI 
Data protection 
FISMA 
MiFiD 
FFIEC 
Other (specify) 
2.5 What percentage of your company’s IT budget is expected to be spent on IT security products in 2008?
< 5% 
5-9% 
10-14% 
15-20% 
> 20% 
2.6 Which of the following statements most closely matches your company’s approach to IT Security?
Proactive - we try to ensure that we are as secure as possible 
Seen as an insurance policy-we take a risk mitigation approach 
Reactive-we respond to incidents as they occur 
2.7 To whom does security report in the organization?
Chief security officer 
Chief information officer 
Other (specify)   
2.8 How heavily does your company use Web 2.0 technologies at the moment (these are advanced collaborative technologies such as wikis, blogs, RSS feeds and social networking sites)?
Heavily 
Moderately 
Sparingly 
Not at all 
2.9 Do you have policies around the deployment of Web 2.0 technologies in your organization?
Yes (if possible ask what these policies are) 
Working on creating them 
No 
2.9A If yes, could you briefly describe those technologies, please? (255 character limit)
3. APPLICATION DEVELOPMENT
3.1 Who has ultimate responsibility for the security aspects of the applications that your company develops?
(Tick all that are applicable)
Development team 
IT security team 
Quality control/testers 
Auditors 
Executive 
Other (specify)   
3.2 What programming languages do you use for application development? (Tick all that are applicable)
Java 
.Net 
C/C++ 
JSP 
PL/SQL 
TSQL 
Cold Fusion 
JavaScript/Ajax 
PHP 
Classic ASP-VB6 
COBOL 
Other (specify)   
3.3 Does your company use a risk-rating system and, if so, what form does it take? (tick all that are applicable)
DREAD 
OWASP 
STRIDE 
CVSS 
CLASP 
NIST 800-30 
AS/NZS 4360 
SANS 
Don't use any 
Don't know 
Other (specify)   
3.4 Does your company define security goals and strategy at the requirements planning stage?
Yes - it is a formal requirement 
Yes - in most cases 
Yes - in a minority of specific cases 
No 
3.5 Which of the following processes are built in at the design stage? (Tick all that apply)
Yes - it is a formal requirement 
Yes - in most cases 
Yes - in a minority of specific cases 
No 
3.6 Does your company employ a reusable security model, including secure build configurations and known vulnerability libraries?
Yes - fully implemented 
No - but planning 
No 
3.7 What processes and tools does your company have in place for analysing code? (Tick all that apply)
Black box 
Debuggers 
Source code analyzers 
Automated code scanners 
Vulnerability scanners 
None 
Don't know 
Other (specify) 
3.8 At what point in the development lifecycle does your company analyze applications for security? (Tick all that apply)
Design 
Development 
Deployment 
Production when provisioned 
Production at a continuous level against new threats 
3.9 Is your company adopting a services oriented architecture (SOA)?
Yes - we have fully adopted SOA 
Yes - all new functionality is being implemented as SOA and existing apps are being SOA-enabled 
Yes - all new functionality is being implemented as SOA but existing apps are being left as are 
No 
3.10 Which of the following Web 2.0 technologies do you use today? (tick all that apply)
Rich internet application technologies, often Ajax-based 
Semantically valid XTHML and HTML markup 
Microformats extending pages with additional semantics 
Folksonomies (in the form of tags or tagclouds, for example) 
Cascading style sheets to aid in the separation of presentation and content 
REST and/or XML and/or JSON-based APIs 
Syndication, aggregation and notification of data in RSS or Atom feeds 
Mashups, merging content from different sources, client and server-side 
Web-publishing tools 
Wiki or forum software etc to support user-generated content 
3.11 Do your Web 2.0 applications implement a SOA or leverage web services?
Yes 
No 
Considering 
3.12 Which of the following technologies do you use? (tick all that apply)
Microsoft BizTalk 
Microsoft Web Services Enhancements (WSE) 2 
Microsoft Windows Communications Foundation (WCF) 
Microsoft CardSpace 
BEA AquaLogic 
IBM WebSphere 
Oracle Fusion 
Apache Axis 
Apache Axis 2 
JBossWS 
Cxf 
Metro 
GlassFish 
JEMS 
Other (specify)  
3.13 What is the average time taken for developing a software application?
< 3 months 
3-5 months 
6-8 months 
9-11 months 
> 12 months 
3.14 Does your company deploy reporting tools? (tick all that apply)
Logs 
Security incident reporting 
Change control and management 
Other (specify)   
3.15 Do you do static code analysis as part of the software development lifecycle?
Yes 
No 
3.16 What percentage of your software development team is security accredited?
< 5% 
5-9% 
10-14% 
15-19% 
> 20% 
4. SECURITY
Phishing is an e-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients;
Pharming is a scamming practice in which malicious code is installed on a personal computer or server, misdirecting users to fraudulent Web sites without their knowledge or consent.
4.1 Are you aware if your organization been the victim of any of the following security attacks over the past year?
(for each select: frequently, sometimes, rarely, never)
Hacking
Phishing
Pharming
Information leakage
Don't know 
Prefer not to say 
4.1A Are there any other security attacks that have affected your business in the past 12 months?
4.2 Which type of security attack would have the most impact on your organization?
(rate from 1 = minor impact to 5 = major impact)
Hacking 1     2     3     4    
Phishing 1     2     3     4    
Pharming 1     2     3     4    
Information leakage 1     2     3     4    
Other (specify)   1     2     3     4     5   
4.3 What would be the average cost of cleaning up after a major attack?
  Dollars  Euros 
4.4 Have you seen such attacks increase over the past year?
Increased 
Decreased 
Remained the same 
4.5 If they have increased, by how much?
< 5% 
5-9% 
10-19% 
15-20% 
> 20% 
4.5.6 Please note down if they give information related to a specific type of attack (255 character limit)
4.6 Which of the following vulnerabilities are you most concerned about in the applications that you develop?
(1 = not concerned to 5 = very concerned)
Cross-site scripting 1     2     3     4     5    
Cross-site request forgery 1     2     3     4     5    
Content spoofing 1     2     3     4     5    
Insufficient authentication 1     2     3     4     5    
JavaScript hacking 1     2     3     4     5    
SQL injection 1     2     3     4     5    
LDAP injection 1     2     3     4     5    
Session hijacking 1     2     3     4     5    
Command injection 1     2     3     4     5    
None of the above 1     2     3     4     5    
Other (specify) 1     2     3     4     5      
4.7 What code-level vulnerabilities are of most concern specifically in Web 2.0 applications
(1 = not concerned to 5 = very concerned):
Cross-site scripting 1     2     3     4     5    
Cross-site request forgery 1     2     3     4     5    
Content spoofing 1     2     3     4     5    
Insufficient authentication 1     2     3     4     5    
JavaScript hacking 1     2     3     4     5    
SQL injection 1     2     3     4     5    
LDAP injection 1     2     3     4     5    
Session hijacking 1     2     3     4     5    
Command injection 1     2     3     4     5    
None of the above 1     2     3     4     5    
Other (specify) 1     2     3     4     5     
4.8 Does your organization have written policies or blocking technologies in place that you enforce for limiting use of any of the following applications and devices? (if yes, please record whether they use policies or technology)
Instant messaging  Policies  Technology 
Web mail  Policies  Technology 
Portable storage devices  Policies  Technology 
PDAs, smart phones and camera phones  Policies  Technology 
VoIP  Policies  Technology 
Software downloads  Policies  Technology 
Social networking sites  Policies  Technology 
Chat rooms  Policies  Technology 
Blogs  Policies  Technology 
None of the above 
Don't know 

Contact me about products from Fortify Software



© 2008 Fortify Software Inc., Headquartered in San Mateo, CA USA, (650) 358-5600

Purchase | Register | Newsletter | Software Security Blog | Contact Us | Privacy