GPC/RFP/Project Hosting

Background
The OWASP Foundation came online on December 1st 2001. It was established as a 503(c) non-profit organization in the United States on April 21, 2004 to ensure the ongoing availability and support for our work at OWASP. OWASP is an international organization and the OWASP Foundation supports OWASP efforts around the world. OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas. Our central wiki can be found at www.owasp.org.

OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative, open way. The OWASP Foundation is a not-for-profit entity that ensures the project's long-term success.

Since its inception as a repository for application security knowledge and information – OWASP has grown into a haven for security research tools and libraries aimed at helping organization improve the application security stance. Many of OWASP's first successful projects were documentation projects and as a result, our current infrastructure was designed around hosting projects in wiki format. However, many of our projects are now code-based tools or libraries and our current wiki infrastruction does not give us the flexibility necessary to manage these projects in a cohesive, reliable manner.

The OWASP Global Projects Committee is currently looking for proposals to provide a cohesive project hosting framework for developers and users.

Description
Our envisioned project hosting solution encompasses not just basic project management tools, but also an infrastructure to implement and/or support our broader needs to publicize and promote OWASP projects.

Basic Project Hosting Tools
The following list of features are typical project hosting features that are relatively self explanatory and we assume will be part of any project hosting service proposal.


 * Issue Management
 * Software Configuration Management (e.g. CVS, Subversion, Git, etc)
 * Anonymous Read Access
 * Authenticated Commit Access
 * Continuous Integration Build
 * Support for various languages including, but not limited to, C/C++, Java, .Net, ASP, and PHP
 * Project Metrics/Statistics for:
 * Downloads
 * Code Commits
 * Active Committers
 * Average Issue Resolution Time
 * Open/Resolved Issue Counts

Project Content Presentation Services
Currently, the OWASP wiki hosts everything from chapter meeting notes, to informational articles, to project home pages. This has provided project leaders with the flexibility to create their own content as necessary to document and promote their project. However, the uncoordinated structure means that there is often no centralized place for project information. We have tried to address this by creating a standardized wiki template (e.g. About the OWASP Live CD) but this template is tedious and time consuming to maintain manually. Additionally, project leaders can create wiki pages that end up clobbering or colliding with other projects or initiatives.
 * OWASP Branded Project wiki home page

We would like to have project home pages that are isolated from each other and provides some consistent structure for basic project metadata, while providing project leaders the freedom and flexibility to create web content for their project as appropriate.

All OWASP projects have individual mailing lists that are manually provisioned using OWASP's MailMan instance. The mailing list administrator must be manually set whenever a new project leader or core contributor arises. While the infrastructure is solidly in place, the process adds extra overhead to project management. Additionally, project leaders who want specialized mailing lists (e.g. announcement-only lists for patches) or other special requests add to the overhead.
 * Mailing Lists / User Groups

We would like a service that provides some level of self-provisioning of mailing lists for projects. This provisioning can be a service that provisions default mailing lists automatically at project creation or provides project owners the ability to self-provision desired mailing lists within their project namespace.

There is currently no consistent mechanism for OWASP projects to provide project downloads. In some cases, leaders will upload project releases to the OWASP wiki as "media files" and reference them in the wiki. In other cases, they will provide links to external sites where project releases can be downloaded. The inconsistency makes it difficult for users to find OWASP project releases and also makes it impossible for us to track the popularity (e.g. number of downloads) of OWASP projects.
 * Downloads Page

We would like to have a project release download mechanism for projects that allows us to track download statistics and also provides users a consistent place to find project releases.

The current OWASP wiki is not conducive to publishing documentation for our code-based projects.
 * Ability to publish Native Language Documentation (JavaDoc, PHPDoc, etc) for public consumption

We would like the project hosting service to support publication of native language documentation such a JavaDoc or PHPDoc as appropriate.

Project Management Services

 * Customizable (OWASP Branded) Projects Portal


 * Aggregate Metrics for all projects under the OWASP Umbrella for use on the projects portal page.


 * This infrastructure should be provided and supported by a vendor with a reliable (tested) and hardened hosting solution.


 * The ability to add additional services for projects on a per-project as-needed basis should be available either by providing a tool to add the service, or by submitting a support ticket to have the service added to the project by the vendor.


 * An SLA (Service Level Agreement) for services rendered should be provided along with and considered part of the proposal


 * Provide an OWASP Branded Projects Portal page under which all OWASP Projects will be accessible and custom content can be loaded on to the page from dynamic sources – such as Twitter, Blogs, and Photostreams.


 * Provide a cohesive suite of project hosting and lifecycle tools for OWASP Incubator, Labs, and Mainstream projects to aid in the success of the projects.

Timeline

 * April 1, 2011 - RFP initially published
 * April 30, 2011 - Deadline for companies to complete their submission
 * June 10th, 2011 - Selection announcement made at OWASP AppSecEU
 * No later than June 30th, 2011 - Contract signed
 * No later than November 1st, 2011 - initial pilot projects launched

Evaluation Criteria
'OWASP is a 503c Not-For-Profit Organization, as such proposals that offer services or products as donations to the organization will take precidence. Donations will be matched with an OWASP Corporate Sponsorship and may be tax-deductable for your organization.'

How to Submit
Please send all proposals, via email to projects@owasp.org. Proposal documents should be attached to the e-mail in PDF format. The submission deadline for proposals is 7 May 2011. Please submit an intent to submit by 30 April 2011 if you intend to submit a proposal for this project.