Difference between revisions of "Assessing Project Releases"

From OWASP
Jump to: navigation, search
(Updated to reflect new revisions of the criteria v2)
(Removed "This is a DRAFT page still under review by the Global Projects Committee")
 
(10 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
[[Category:OWASP Project Assessment]]
 
[[Category:OWASP Project Assessment]]
 
This is a DRAFT page still under review by the [[Global Projects Committee]]
 
  
 
This page is maintained by the [[Global Projects Committee]] to help assist Project Leaders with information about successfully running an OWASP Project. It will be updated from time to time, and changes will be discussed and announced on the OWASP-Leaders list.
 
This page is maintained by the [[Global Projects Committee]] to help assist Project Leaders with information about successfully running an OWASP Project. It will be updated from time to time, and changes will be discussed and announced on the OWASP-Leaders list.
Line 7: Line 5:
 
=== Quality Levels===
 
=== Quality Levels===
  
For project releases, OWASP has established the assessment criteria with three designations of quality:  Alpha, Beta and Quality releases.  As project releases move up the quality ladder from Alpha to Beta and finally to a Quality release, the amount of rigor required increases. In general, the project lead will determine the goal quality level of their project and work towards fulfilling the criteria for that level. Once a project lead has completed the prerequisites and criteria for the goal level, they request that their project be reviewed. The quality level will determine who reviews the release and how those reviews occur.  
+
For project releases, OWASP has created a criteria with three designations of quality:  Alpha, Beta and Stable releases.  As project releases move up the quality ladder from Alpha to Beta and finally to a Stable release, the amount of rigour required increases. In general, the project lead will determine the goal quality level of their project and work towards fulfilling the criteria for that level. Once a project lead has completed the prerequisites and criteria for the goal level, they request that their project be reviewed. The quality level will determine who reviews the release and how those reviews occur.  
  
* Alpha release: The review consists of the Global Project Committee (GPC) verifying that the project pre-assessment checklist is complete. Alpha release projects are the most free and open since anyone with a start on a solution to an application security problem can assess their project against the pre-assessment checklist.   
+
* Alpha release: The review consists of the Global Project Committee (GPC) verifying that the project pre-assessment checklist is complete. Alpha release projects are the easiest to achieve since anyone with a start on a solution to an application security problem can self assess their project against the pre-assessment checklist.   
* Beta release:  The project lead completes the pre-assessment checklist. Then, the review will first be conducted by the project's reviewer (more on this below). After the reviewer completes the reviewer action items, the GPC will validate the project's assessment.  
+
* Beta release:  The project lead completes the pre-assessment checklist. Then, the review will first be conducted by the project's reviewer (more on this below). After the reviewer completes the review of the release, the GPC will validate the project's review.  
* Quality release: The project lead completes the pre-assessment checklist. Then, the two project reviewers will complete their action items (more on this below). After the reviews are complete, the Global Projects Committee and OWASP Board will validate the project's review.
+
* Stable release: The project lead completes the pre-assessment checklist. Then, the two project reviewers will complete their review of the release (more on this below). After the reviews are complete, the Global Projects Committee and OWASP Board will validate the project's review.
  
  
Line 20: Line 18:
 
* Reviewer Action Items were designed to require some significant time commitment from the reviewer since the questions are subjective and require a good deal of understanding and review of the project's release.
 
* Reviewer Action Items were designed to require some significant time commitment from the reviewer since the questions are subjective and require a good deal of understanding and review of the project's release.
  
===Prerequisites for Project Assessment===
+
===Prerequisites for Project Release  Assessment===
  
 
Depending on the quality level criteria, the project lead may have prerequisites to complete before the project release(s) can be assessed by the criteria below  
 
Depending on the quality level criteria, the project lead may have prerequisites to complete before the project release(s) can be assessed by the criteria below  
Line 26: Line 24:
 
* Alpha release: No prerequisites.  
 
* Alpha release: No prerequisites.  
 
* Beta release: 1 reviewer is required.  
 
* Beta release: 1 reviewer is required.  
* Release release: 2 reviewers are required. Second review has special requirements.  
+
* Stable release: 2 reviewers are required. Second review has special requirements.  
  
  
 
Notes on reviewers  
 
Notes on reviewers  
  
* Ideally, the project lead will suggest project reviewer(s).  
+
* Ideally, per project release, the project leader will propose the reviewer(s).  
* Ideally, reviewers should be an existing OWASP project lead or Chapter leader.   
+
* Ideally, reviewers should be an existing OWASP project leader or chapter leader.   
 
* If the project lead is unable to find the required reviewer(s), the Global Projects Committee can assist in identifying reviewers for the project.  
 
* If the project lead is unable to find the required reviewer(s), the Global Projects Committee can assist in identifying reviewers for the project.  
* It is recommended that an OWASP board member or Global Projects Committee member be the second reviewer on Quality releases. The board has the initial option to review the project, followed by the Global Projects Committee.  
+
* It is recommended that an OWASP board member or Global Projects Committee member be the second reviewer on Stable releases. The board has the initial option to review the project, followed by the Global Projects Committee.  
 
* The Global Projects Committee confirms the assignment of reviewers to a project.
 
* The Global Projects Committee confirms the assignment of reviewers to a project.
 +
* For special cases (e.g. large documents), multiple reviewers may be utilized to break the review work into smaller units.  The over-riding principal is that one set of eye balls will review for Beta and two sets of eye balls will review for Quality.  For example, a large project 4 reviewers could be used to do the Stable quality review were each reviewer would be responsible for reviewing approximately 1/2 of the content where 4 x 1/2 = 2.
 +
 +
=== Star Rating System ===
 +
 +
{| style="width:90%" border="0" align="center"
 +
| colspan="7" align="center" style="background:#white; color:black" |
 +
|-
 +
| style="width:25%; background:#white" align="center" | Not Reviewed   
 +
| style="width:25%; background:#white" align="center" | Alpha Release
 +
| style="width:25%; background:#white" align="center" | Beta Release
 +
| style="width:25%; background:#white" align="center" | Stable Release 
 +
|-
 +
| style="width:25%; background:#white" align="center" | [[Image:Yellow button.JPG|25px]]
 +
| style="width:25%; background:#white" align="center" | [[Image:Greenlight.png|25px]]
 +
| style="width:25%; background:#white" align="center" | [[Image:Greenlight.png|25px]][[Image:Greenlight.png|25px]]
 +
| style="width:25%; background:#white" align="center" | [[Image:Greenlight.png|25px]][[Image:Greenlight.png|25px]][[Image:Greenlight.png|25px]]
 +
|}
  
===Assessment Criteria===
+
===Release Assessment Criteria===
  
Specific Assessment Criteria for the OWASP Project Types:
+
Specific Release Assessment Criteria for the OWASP Project Types:
 
*[[Tool Assessment Criteria]]
 
*[[Tool Assessment Criteria]]
 
*[[Documents Assessment Criteria]]
 
*[[Documents Assessment Criteria]]
 
*[[Research and Activities Criteria]]
 
*[[Research and Activities Criteria]]

Latest revision as of 09:56, 2 July 2009


This page is maintained by the Global Projects Committee to help assist Project Leaders with information about successfully running an OWASP Project. It will be updated from time to time, and changes will be discussed and announced on the OWASP-Leaders list.

Contents

Quality Levels

For project releases, OWASP has created a criteria with three designations of quality: Alpha, Beta and Stable releases. As project releases move up the quality ladder from Alpha to Beta and finally to a Stable release, the amount of rigour required increases. In general, the project lead will determine the goal quality level of their project and work towards fulfilling the criteria for that level. Once a project lead has completed the prerequisites and criteria for the goal level, they request that their project be reviewed. The quality level will determine who reviews the release and how those reviews occur.

  • Alpha release: The review consists of the Global Project Committee (GPC) verifying that the project pre-assessment checklist is complete. Alpha release projects are the easiest to achieve since anyone with a start on a solution to an application security problem can self assess their project against the pre-assessment checklist.
  • Beta release: The project lead completes the pre-assessment checklist. Then, the review will first be conducted by the project's reviewer (more on this below). After the reviewer completes the review of the release, the GPC will validate the project's review.
  • Stable release: The project lead completes the pre-assessment checklist. Then, the two project reviewers will complete their review of the release (more on this below). After the reviews are complete, the Global Projects Committee and OWASP Board will validate the project's review.


Pre-Assessment Checklists versus Reviewer Action Items:

  • Pre-Assessment checklists should be completed by the project lead prior to asking for an assessment.
  • Pre-Assessment checklists were designed to be completed in minutes to verify that all items are complete.
  • Reviewer Action Items should be completed by project reviewer(s) after the project lead indicates the project is ready to be assessed and the pre-assessment checklist is complete.
  • Reviewer Action Items were designed to require some significant time commitment from the reviewer since the questions are subjective and require a good deal of understanding and review of the project's release.

Prerequisites for Project Release Assessment

Depending on the quality level criteria, the project lead may have prerequisites to complete before the project release(s) can be assessed by the criteria below

  • Alpha release: No prerequisites.
  • Beta release: 1 reviewer is required.
  • Stable release: 2 reviewers are required. Second review has special requirements.


Notes on reviewers

  • Ideally, per project release, the project leader will propose the reviewer(s).
  • Ideally, reviewers should be an existing OWASP project leader or chapter leader.
  • If the project lead is unable to find the required reviewer(s), the Global Projects Committee can assist in identifying reviewers for the project.
  • It is recommended that an OWASP board member or Global Projects Committee member be the second reviewer on Stable releases. The board has the initial option to review the project, followed by the Global Projects Committee.
  • The Global Projects Committee confirms the assignment of reviewers to a project.
  • For special cases (e.g. large documents), multiple reviewers may be utilized to break the review work into smaller units. The over-riding principal is that one set of eye balls will review for Beta and two sets of eye balls will review for Quality. For example, a large project 4 reviewers could be used to do the Stable quality review were each reviewer would be responsible for reviewing approximately 1/2 of the content where 4 x 1/2 = 2.

Star Rating System

Not Reviewed Alpha Release Beta Release Stable Release
Yellow button.JPG Greenlight.png Greenlight.pngGreenlight.png Greenlight.pngGreenlight.pngGreenlight.png

Release Assessment Criteria

Specific Release Assessment Criteria for the OWASP Project Types: