State of AppSec Survey Project

The purpose of the State of AppSec Survey Project is to provide resources and materials, for use by OWASP Chapters and other organizations, in developing their own “State of AppSec in XXX” surveys and reports.

The initial seed for this project was the OWASP New Zealand Chapter’s first “State of AppSec in New Zealand” effort. The first year’s survey was created as a proof of concept, with support from a local employer (Datacom Systems (NZ)), over a period of six months in 2022.

Deliverables

A core set of resources and templates will be developed iteratively, and made available for download.

The final set of deliverables will include:

• A collection of survey ‘pages’ - sets of related questions, intended for use as a group
• A small set of ‘selector’ questions, which can be used to determine which survey ‘pages’ should be presented
• A set of representative flows, based on responses to ‘selector’ questions, and comprised of ‘page’ sequences
• One or more document templates, for creating the annual whitepaper
• Slide deck templates, for promoting the survey and presenting its results

Project Roadmap

At the time of this writing, the OWASP New Zealand project team is wrapping up the 2022 effort, and and plans to publish the whitepaper at the end of October.

The following represent the planned steps in building on the initial survey in New Zealand, leveraging the products developed and lessons learned to further the overall effort:

1. Create Initial New Zealand survey - April/May 2022
2. Launch survey and collect responses - June/July 2022
3. Analyze survey responses
4. Publish whitepaper - October 2022
5. Publicize findings and project efforts within New Zealand
6. Publish survey ‘pages’ and ‘selector’ questions used in New Zealand survey
7. Create and publish report and presentation templates, based on NZ-specific materials
8. Promote the project and use of its approach and materials, in the broader OWASP community

Presentations

The project leader, John DiLeo (who also leads the New Zealand effort), has given a number of presentations on the project, with more scheduled.

• OWASP New Zealand Day 2022 (Video, YouTube, 27:26) - 8 July 2022
• OWASP Global AppSec APAC Virtual Conference - 1 September 2022 (Video to be published “real soon now”)
• New Zealand Internet Task Force (NZITF) Conference - 31 October 2022
• Canterbury Hacker Camp (CHCamp) - 25-26 November 2022
• Auckland Information Security Interest Group (ISIG) meeting - 28 March 2023