Tuesday, August 13, 2013

OWASP Projects Defined: Answers to Community Questions and Feedback

Recently, we have received many questions relating to our OWASP Projects. They range from confusion over what an OWASP Project is, project promotion choices, and questions on project quality. While we are working hard on improving OWASP Projects on an operational level, we understand that sometimes we need to shine some light on our work, and add clarity to what it means to be an OWASP Project.

This post is meant to clarify some of these points, and answer some of the questions we have received from the community about our Projects. 

What is an OWASP Project?

Projects are one of the primary methods by which OWASP strives to achieve its mission, which is to make application security more visible. OWASP provides a community based online platform that allows project leaders the opportunity to freely test ideas and theories in an open environment. Leaders are able to leverage the OWASP brand, and the help of a dedicated OWASP Projects manager to guide development.

The goal of an OWASP Project is to create a concrete deliverable - such as a document, a tool, or a code library - that furthers the OWASP mission. It is important to note that OWASP is not a commercial software development company. The aim of the OWASP Projects Platform is to give Project Leaders the space, time, and resources they need to research, create, and grow an idea into a concrete product. 

There is no obligation to create a finished product, but we certainly encourage high quality development. There are many examples of great projects, and those project leaders, as well as the team, are rewarded for their dedication and contributions to our mission and Projects infrastructure. 

Project Types

There are three different stages of an OWASP Project. They are divided into the following categories to identify the maturity level of the project.

OWASP Incubator Projects

OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway. Incubator projects are the first stage in a project's maturity within the OWASP Projects Infrastructure. All new projects are labeled as Incubators once they are accepted into OWASP, and there is no obligation to leave the Incubator stage. The only requirement after acceptance is to keep the project active. 

OWASP Labs Projects

OWASP Labs projects represent projects that have produced a release or a deliverable. For example, a documentation project that has developed a finished book, can apply to become a Labs Project. The Project Leader has created a deliverable, and has reached a goal set out in the Incubator stage of the project. This demonstrated dedication to OWASP, and dedication to the project itself. 

OWASP Flagship Projects

The OWASP Flagship label is given to projects that have demonstrated superior maturity, established quality, and strategic value to OWASP and application security as a whole. Flagship Project Leaders not only create a deliverable of value, they also actively promote their project, they keep up-to-date on community comments and requests, and maintain the project as active unless the project has reached completion. 

Other Project Categorizations

While OWASP Projects are primarily categorized by their maturity level, it is important to note that projects are categorized in several other ways as well. Projects are categorized by type: Tool, Documentation, Code Library. They are also categorized by Activity. Moreover, we are working on categorizing the projects by region, the OpenSAMM framework, and by Builder, Breaker, Defender types. 

Project Promotion

We try to give our OWASP Project Leaders many different opportunities to promote their work using various mediums. For example, we have speaking opportunities available at our global conferences, Leaders can also give webinars on project developments, and projects can also be showcased on our Connector newsletter. 

These opportunities are available to all of our OWASP Project Leaders, with the exception of certain areas of the Connector. We use the Connector to showcase a project of the month, to introduce new projects to the community, and share news and updates about our projects. Now, while we do realize there is sometimes very little information in the New Project pages, we feel it is very important to let the community know that there are new projects entering the infrastructure. This is one of the ways we use to promote these new projects, and encourage our new Project Leaders.  

OWASP Project Quality & Realistic Expectations

There has been quite a bit of debate over the quality of our OWASP Projects. There seems to be some confusion related to the amount of influence OWASP has over the quality, timeline, and overall product of an OWASP Project. The most important point to remember is that OWASP is a platform for ideas within the software security landscape. We provide the space, time, and resources Leaders need to research, create, and grow an idea into a concrete product. However, there is no obligation to create a high quality product, as we are not a commercial organization. This is primarily why our project quality varies so much, and the expectation of having similar quality products from all of our projects, is simply unrealistic. OWASP simply provides the space to create, and a wealth of knowledge and experience for Leaders to learn and grow. 

I realize this is a brief description of what our OWASP Projects encompass so I would like to welcome members of the community to ask me questions. You can either comment on this blog post or e-mail me directly at Samantha.Groves@owasp.org. Alternatively, you can visit the OWASP Projects page for more information. 

Lastly, the Ops Team would just like to thank everyone who is currently working to improve our project processes, everyone who contributes to project reviews, and the projects themselves. We could not have our OWASP Projects Platform without your contributions and support. 

No comments: