OWASP Project Assessment Criteria

Jump to: navigation, search

Project Health Criteria

Core Questions Criteria Questions Response
Focus: To measure the health of the project.
Is the project actively maintained?
Does the wiki template have the minimum standard wiki content available, and is it updated with releases?
Does the project have an active project leader? (Maintains project site with news and release announcements, continually enhancing the project, promoting the project in the security community, etc.)
Is the project being maintained with current operating systems and technology?
Does the project demonstrate progress to the community and verify that development is on track with the roadmap? (Roadmap Content Definition: Leader must have a roadmap that encompasses activity for the next year, or have a total of no less than 4 milestones with the roadmap.)
Does it meet quality expectations?
Does the project have a relevant project summary that can be found on the OWASP Project wiki page?
Does the project have a good track record of resolving issues and answering questions from project consumers?
Does it address a security concern? (Leader must state what their unique application security concern they are addressing.)
Does the project represent a minimal viable product? (Note: Minimal Viable Product must be defined by Leader at the start of the project.)
Does the project follow OWASP Project Best Practices, and is it consistent with OWASP Objectives and the Mission?
Does the project use an appropriate Community Friendly License?
Are project deliverables, information, and releases readily available and accessible to the public? (Note: This can be a link to the repository, or a link to an external web site.)
Has the project designated who the copyright owner is?
Do the Project Leaders follow OWASP Project Best Practices as outlined in the Project Leader Handbook, Code of Ethics Section 8.3? Handbook: https://www.owasp.org/images/6/6a/OWASP_Projects_Handbook_2013.pdf
Do the project leaders and contributors treat everyone with respect and dignity? (Note: Input from the community will be required or use your best judgement.)
Is the project vendor neutral?
Does the project provide an innovative approach to address a concern within the software security community?
Does the project have one accepted OWASP reviewed deliverable on record within the new project’s infrastructure?
Yes, and the project has a Stable release. Labs --> Flagship
Yes, and the project has an Beta or Stable release. Incubator --> Labs

Product Quality Review Criteria

Core Questions Release Criteria Questions Points Response Grading
1-Does the Project leader identify the development stage a release is in (e.g., Alpha, Beta, Stable, etc.)? 5
2-Is the code tested using Unit tests? 2
Code Library Bug Fixing:
3-Is there a way for developer to ask questions or engage in discussions about the project? 5
4-Does the project maintain a prioritized list of open issues? 3
5-Can users report issues that are answered or prioritized and added to the list? 3
6-Have bugs been fixed during releases? 5
7-Does the project contain a clear 'release' document explaining the new features and fixes? 2
8-Does the project contain documentation on how to configure source code in a certain IDE for new volunteer developers? 2
9-Does the project have an up-to-date source code repository that is accessible to the overall community? 5
10-Does it solve a core application security need? 3
11-Does the project include build scripts that facilitate building/adding to the application from source? 3
12-Does the project include appropriate documentation? 3
13-Are all text strings displayed to the end user loaded from a resource file, and the appropriate language resource file is used based on user settings (if available). 5
Test Projects Only
14-Does this project have an easy to use installer (Goal: Fully automated installer) (or stand alone executable version)? 5
15-Is the tool/deliverable user friendly and easy to use? 3
Documentation Projects Only:
1-Do the project leaders/contributors interact with readers and receive and reply to feedback on the project? (Usefulness of dialogue with readers) 10
2-Does the material help inform consumers about a security topic? 10
3-Does the project leader adapt the documentation based on the priorities, importance, and feedback gathered by reliable sources? 6
4-Is the documentation translated into at least two different languages? 4
Documentation 5-Is the English grammar correct, understandable, and the content flows well? 6
6-Is the project product available for download on the OWASP Project wiki page? 4
Bonus Points 7-If this document is a candidate to publish as an OWASP book, is the document in a format which can be converted to an OWASP book? 6
6-8 Points 8-Does the project sufficiently cover material with respect to the topic or process it is intended to cover? 8
Total Code/Tools Points
Total Document Points