OWASP 2014 Project Handbook Project Requirements

Project Requirements
Starting an OWASP project is a very easy process. You simply have to submit an application to start your project, and work on it under the OWASP Projects umbrella. Additionally, projects and their leaders are expected to not only know and follow OWASP Project policies and guidelines, but they are expected to uphold the OWASP core values, as well. The OWASP core values are: openness, innovation, internationalization, and integrity. Beyond these principles, a potential Project Leader with an idea only needs a project name, a project description, a project license choice, and a project roadmap to submit an application.

Openness
OWASP Projects must be open in all facets, including source material, contributors, organizational structure, and ﬁnances (if any). Project source code (if applicable) must be made openly available, project communication channels (e.g. mailing lists, forums) should be open and free from censorship, and all project materials must be licensed under a community friendly license as approved by the Free Software Foundation (Appendix 8.2).

Innovation
All OWASP Projects are expected to be innovative, and address an application security concern unless they are operational projects. Projects can be ideas turned into a proof-of-concept, new implementations of familiar ideas or tools, or something altogether different. The OWASP philosophy is to try many things and fail fast! This means that we want Project Leaders to bring projects forward, no matter how large or small, and no matter how unlikely they may seem. Project Leaders are encouraged to be forward thinking in their ideas and designs.

Internationalization
A project is internationalized when all of the project’s materials and deliverables are consumable by an international audience. This can involve translation of materials into different languages, and the distribution of project deliverables into different countries. OWASP Projects are not expected to be internationalized from day one, but they are expected to keep the international audience in mind for future development. OWASP resources and assistance are available to help in translation efforts, but Project Leaders will need to ensure that their project is ﬂexible enough to support internationalization.

Integrity
OWASP Projects must uphold the integrity of the OWASP Foundation, and must not unduly promote a speciﬁc company, vendor, or organization. While OWASP welcomes corporate sponsorship of a project, Project Leaders must ensure that any such relationship is disclosed, and that the project continues to be a vendor agnostic endeavor. Project Leaders must use the appropriate project designation to refer to their project and must not abuse the OWASP brand. Project Leaders must also conduct themselves according to the OWASP Code of Ethics, and must follow OWASP Project policies and guidelines, at all times (Appendix 8.3).

Ownership
OWASP does not require a transfer of ownership of your project as all OWASP Projects must be offered under an open source license. Open Source means that the content must be made freely available and may be redistributed and modiﬁed by anyone. Every Project Leader and contributor owns their own contributions; however, he/she must accept that all contributions made to an OWASP Project must be open source. Project owners who own all copyrights to a project outside of OWASP, and no longer wish to be involved with the day to day management of a project, are welcome to donate their work to OWASP. Please contact the OWASP Project Manager for information on how to best donate your project to OWASP.

Project Operational Requirements
At a minimum, all OWASP Projects need to have a project name, a Project Leader, a project description, a project community friendly license choice, and a project roadmap. Below you will ﬁnd a short summary of what is expected for each of these operational requirements.

PROJECT NAME A project name will include the OWASP brand name by default. A Project Leader can choose to omit the OWASP brand name from their project name, but the Leader must inform the OWASP Project Manager before it is omitted. Otherwise, the project will be set up using ‘OWASP’ as a preﬁx to the project name in the original application.

PROJECT LEADER A Project Leader is the individual who decides to lead the project throughout its lifecycle. The Project Leader is responsible for communicating the project’s progress to the OWASP Foundation, and he/she is ultimately responsible for the project’s deliverables. The Project Leader must provide OWASP with his/her real name and contact e-mail address for his/her project application to be accepted.

PROJECT DESCRIPTIONS A project description should outline the purpose of the project, and the value it provides to application security. Ideally, project descriptions should be written in such a way that the start of the description can be used as a teaser or an excerpt (as commonly done for news articles and blog postings). This teaser will be seen and used in various places within the Projects Portal. Poorly written project descriptions detract from a project’s visibility, and Project Leaders should ensure that the teaser is concise and meaningful.

PROJECT ROADMAP A project roadmap is the envisioned plan for the project. The purpose of the roadmap is to help others understand where the project is going. It gives the community a chance to understand the context and the vision for the goal of the project. Additionally, if a project becomes inactive, or if the project is abandoned, a roadmap can help ensure a project can be adopted and continued under new leadership. Roadmaps vary in detail from a broad outline to a fully detailed project plan. Generally speaking, projects with detailed roadmaps have tended to develop into successful projects. Some details that leaders may consider placing in the roadmap include: envisioned milestones, planned feature enhancements, essential conditions, project assumptions, development timelines, etc. It is recommended that Project Leaders have at least 4 yearly milestones in their roadmap.

PROJECT LICENSE A project must be licensed under a community friendly or open source license. For more information on OWASP recommended licenses, please see (Appendix 8.2). While OWASP does not promote any particular license over another, the vast majority of projects have chosen a Creative Commons license variant for documentation and operational projects, or a GNU General Public License variant for tools and code projects.