Assessing Project Releases
This is a DRAFT page still under review by the Global Projects Committee
This page is maintained by the Global Projects Committee to help assist Project Leaders with information about successfully running an OWASP Project. It will be updated from time to time, and changes will be discussed and announced on the OWASP-Leaders list.
For project releases, OWASP has established the assessment criteria with three designations of quality: Alpha, Beta and Quality. As project releases move up the quality ladder from Alpha to Beta and finally to a Quality release, the amount of rigor required increases. In general, the project lead will determine the goal quality level of their project and work towards fulfilling the criteria for that level. Once a project lead has completed the prerequisites and criteria for the goal level, they request that their project be reviewed. The quality level will determine who and how those reviews occur.
- Alpha release: The review consists of the Global Project Committee (GPC) verifying that the project pre-assessment check-list is complete. Alpha projects are the most free and open since anyone with solution to an application security problem can propose a new OWASP project. Alpha is where all new projects begin.
- Beta release: The review will first be conducted by the project's reviewer (more on this below). After the reviewer completes the reviewer action items, the GPC will validate the project's assessment.
- Quality release: The two project reviewers will complete their action items (more on this below). After the reviews are complete, the Global Projects Committee and OWASP Board will validate the project's review.
Pre-Assessment Checklists versus Reviewer Action Items:
- Pre-Assessment checklists should be completed by the project lead prior to asking for an assessment.
- Pre-Assessment checklists were designed to be completed in minutes if all items are complete.
- Reviewer Action Items should be completed by project reviewer(s) after the project lead indicates the project is ready to be assessed.
- Reviewer Action Items were designed to require some significant time commitment from the reviewer since the questions are subjective and require a good deal of understanding of the project.
Prerequisites for project assessment
Depending on the quality level criteria, the project lead may have prerequisites before the project deliverable(s) can be assessed by the criteria below
- Alpha release: No prerequisites.
- Beta release: 1 reviewer is required.
- Release release: 2 reviewers are required. Second review has special requirements.
Notes on reviewers
- Ideally, the project lead will suggest project reviewer(s).
- Ideally, reviewers should be an existing OWASP project lead or Chapter leader.
- If the project lead is unable to find the required reviewer(s), the Global Projects Committee can assist in identifying reviewers for the project.
- It is recommended that an OWASP board member or Global Projects Committee member be the second reviewer on Quality releases. The board has the initial option to review the project, followed by the Global Projects Committee.
- The Global Projects Committee confirms the assignment of reviewers to a project.
Specific Assessment Criteria for the OWASP Project Types: