Monday, June 2, 2014

OWASP Flagship Project Announcement

OWASP Community,

On April 30 2014, the OWASP Board voted to change all projects with Flagship Status to Labs status. This message is intended to explain why we did this and what the future of OWASP projects and project evaluation is.

It's critical that the OWASP Foundation is sincere about the classification of our project inventory. Our "customers" depend upon these projects to provide a wide variety of critical security services. These include discovery of security vulnerabilities, cryptographic services, developer security education and a number of critical security controls. Some OWASP projects are used in the very heart of our customers infrastructure!

Our current methodology of project classification is based on three categories: Incubator Projects, Labs Projects and Flagship Projects. Let's take a moment to explore what these categories mean as they stand today.

OWASP Incubator Projects are "proofs of concept, experimental, and classified as prototypes" in their current state.

OWASP Labs Projects represent projects that have produced a deliverable of significant value but are not guaranteed to be production ready.

OWASP Flagship Projects clearly denote production quality projects that organizations can trust and depend on.

Evaluating almost 200 projects is no small task. The OWASP project list has not changed much over the last 2 years. Unfortunately, some of our flagship projects have not been active and have languished to a point where flagship status may not be appropriate.  Also, as OWASP continues to mature its project management and review capabilities, these categories may go away.

In an effort to present a more accurate and up-to-date status of OWASP projects, the OWASP Board has voted to reduce all Flagships projects to LABS status and will require projects to go through an evaluation process in order to be deemed flagship once again. This message states that current flagship projects are still important projects that deliver significant value, but may not be production ready or up to date.

OWASP is in the midst of building a new project review infrastructure and the processes to go with that. Our new project review mechanism is not finalized yet, but members of the OWASP Community are working to build that new strategy. But we need to realize that while many of our projects are great ideas, not all of them are "production quality projects". Please look for a proposal with options for comment and a community vote in the upcoming days.

We know this may upset some in our community, but we want to emphasize that we felt that several OWASP Flagship projects (which are of great value) were languishing in a variety of ways. Our goal was to present OWASP projects in a more honest light. OWASP Labs status again denotes great value.

Thanks you for your consideration over this matter. We are eager to hear any feedback from the community to help make OWASP projects better in the future.

The OWASP Board and Staff 

No comments: