Difference between revisions of "How to Start an OWASP Project"

Jump to: navigation, search
m (OWASP Recommended Licenses)
(4 intermediate revisions by 2 users not shown)
Line 33: Line 33:
# Project Main Links (if any).
# Project Main Links (if any).
==OWASP Recommended Licenses==
== Project Release ==
*As your project reaches a point that you'd like OWASP to assist in its promotion, the [[Global Projects Committee|OWASP Global Projects Committee]]  will need the following to help spread the word about your project:
*As your project reaches a point that you'd like OWASP to assist in its promotion, the [[Global Projects Committee|OWASP Global Projects Committee]]  will need the following to help spread the word about your project:
Line 56: Line 63:
* Check out the '''[[Guidelines for OWASP Projects]]'''.
* Check out the '''[[Guidelines for OWASP Projects]]'''.
==Project Forms==
[http://www.tfaforms.com/264422 Project Transition Application]
[http://www.tfaforms.com/264413 Project Review Request]
[http://www.tfaforms.com/264418 Project Donation Application]
[http://www.tfaforms.com/264428 Project Adoption Request]
[http://www.tfaforms.com/264426 Project Abandonment Request]
[http://www.tfaforms.com/264392 Incubator Project Graduation Application]
[http://www.tfaforms.com/264112 Contact the Global Projects Division]
[http://www.tfaforms.com/264210 New Project Application]
[[Category:OWASP Project]]
[[Category:OWASP Project]]
[[Category:How To]]
[[Category:How To]]

Revision as of 15:20, 9 December 2012

So you want to start a project...

Starting an OWASP Project is easy. You don't have to be an application security expert. You just have to have the drive and desire to make a contribution to the application security community.

Here are some of the guidelines for running a successful OWASP project:

  • The best OWASP projects are strategic - they make it easier to produce secure applications by filling a gap in the application security knowledge-base or technology support.
  • You can run a single person project, but it's usually best to get the community involved. You should be prepared to support a mailing list, build a team, speak at conferences, and promote your project.
  • You can contribute existing documents or tools to OWASP! Assuming you have the intellectual property rights to a work, you can open it to the world as an OWASP Project. Please coordinate this with OWASP by contacting owasp(at)owasp.org.
  • Available Grants to consider if you need funding - Click Here
  • You should promote your project through the OWASP channels as well as by outside means. Get people to blog about it!

Creating a new project

Here's the simple process for starting a new OWASP Project.

  • Get the following information together:


  1. Project Name,
  2. Project purpose / overview,
  3. Project Roadmap,
  4. Project links (if any) to external sites,
  5. Project License,
  6. Project Leader name,
  7. Project Leader email address,
  8. Project Leader wiki account - the username (you'll need this to edit the wiki),
  9. Project Contributor(s) (if any) - name email and wiki account (if any),
  10. Project Main Links (if any).

OWASP Recommended Licenses

Why are you recommending these licenses?
Which other open source licenses are eligible for an OWASP project?

Choosing a license under which an artifact is distributed and enforcing the license are prerogatives of the copyright holders over that artifact. By default, each contributor is copyright holder over the contributed piece. Contributors must all agree on the license and cooperate in enforcing it or must assign their copyright to the entity which becomes responsible for choosing and enforcing the license.

OWASP is a collaborative initiative for the public good and most of its output is expected to be functional, rather than aesthetic. The problem OWASP tackles is so large that OWASP acknowledges a need to collaborate with the commercial world. Therefore, in order to become an OWASP Sponsored Project, you should be comfortable with:

  • Allowing arbitrary uses for your work, for example for commercial purposes. (If you disagree, consider using CC-BY-NC.)
  • Revealing to the world your project's source code (its form preferred for modification).
  • Allowing your work, under certain conditions (see below), to be modified by others and redistributed. (If you disagree, consider using CC-BY-ND.)
How to choose a license for artifcts of your OWASP project
Artifact Under what conditions can your work be modified and redistributed?
As long as modifications are licensed in the same spirit If credit is appropriately given to you Under any circumstances
Standalone Tool Run locally
GPL (newest version as of 2016 is 3.0)

The "General Public License" protects users' four essential freedoms, among other things by requiring someone who distributes software derived from yours to also publish the source code for the modifications. Anyone can charge money for distributing copies of the software, but cannot prevent its recipients from redistributing it for free. The GPL allows the copyright holders to distribute the software under additional licenses, too, which can be a way to make it proprietary-friendly.
Apache License (newest version as of 2016 is 2.0)

Has the fewest restrictions, even allowing proprietary modifications and proprietary forks of your project, and is more up-to-date than the BSD license.
CC0 (newest version as of 2016 is 1.0)

The "Public Domain Dedication" means that anybody can copy, modify, distribute and perform the work, even for commercial purposes, all without asking permission.
Consumed over the network
AGPL (newest version as of 2016 is 3.0)

The "Affero General Public License" extends the GPL to SaaS: users of the modified software must be able to obtain the source code of the modifications.
GPL or LGPL (newest version as of 2016 is 3.0)

The "Lesser General Public License" relaxes the GPL for libraries: if the library is not modified, just integrated (function calls, global variables,...), with other software, it does not require the source code of the other software to be published. The Free Software Foundation recommends the LGPL only for libraries which have established competitors for the same functionality, otherwise they recommend the full GPL.
Document (includes E-Learning, presentations, books etc.)
CC-BY-SA (newest version as of 2016 is 4.0)

The "Creative Commons Attribution-ShareAlike" is like the GPL, but for documents.
CC-BY (newest version as of 2016 is 4.0)

The "Creative Commons Attribution" is like the Apache License, but for documents.

Project Release

  • As your project reaches a point that you'd like OWASP to assist in its promotion, the OWASP Global Projects Committee will need the following to help spread the word about your project:
  1. Conference style presentation that describes the tool/document in at least 3 slides,
  2. Project Flyer/Pamphlet (PDF file),

  • If possible, get also the following information together:


  1. Release Name,
  2. Release Description,
  3. Release Downloadable file link
  4. Release Leader,
  5. Release Contributor(s),
  6. Release Reviewer,
  7. Release Sponsor(s) (if any),
  8. Release Notes
  9. Release Main Links (if any),

  • Note: For Project/Release Leader, Contributors and Reviewers please create a wiki accounts and please send the links off. See Tutorial and here how to do it and here an example of how it will be used.

  • To get your project started, fill out the new project form. We'll review the information and get you set up with a project wiki page, a mailing list, and subscribe you to the OWASP-Leaders list. You'll be part of setting OWASP's direction!

Project Forms

Project Transition Application

Project Review Request

Project Donation Application

Project Adoption Request

Project Abandonment Request

Incubator Project Graduation Application

Contact the Global Projects Division

New Project Application