- Starting a New Project
- Project Assessments
- Project Database
- Marketing Materials
- Sponsorships and Donations
- Project Press Center
- PM Information
- Global Project Committee
- Contact US
So you want to start a project...
Starting an OWASP Project is easy. You don't have to be an application security expert. You just have to have the drive and desire to make a contribution to the application security community.
Here are some of the guidelines for running a successful OWASP project:
- The best OWASP projects are strategic - they make it easier to produce secure applications by filling a gap in the application security knowledge-base or technology support.
- You can run a single person project, but it's usually best to get the community involved. You should be prepared to support a mailing list, build a team, speak at conferences, and promote your project.
- You can contribute existing documents or tools to OWASP! Assuming you have the intellectual property rights to a work, you can open it to the world as an OWASP Project. Please coordinate this with OWASP by contacting owasp(at)owasp.org.
- Available Grants to consider if you need funding - Click Here
- You should promote your project through the OWASP channels as well as by outside means. Get people to blog about it!
Creating a new project
- Get the following information together:
A - PROJECT
- Project Name,
- Project purpose / overview,
- Project Roadmap,
- Project links (if any) to external sites,
- Project License,
- Project Leader name,
- Project Leader email address,
- Project Leader wiki account - the username (you'll need this to edit the wiki),
- Project Contributor(s) (if any) - name email and wiki account (if any),
- Project Main Links (if any).
OWASP Recommended Licenses
|Allow commercial uses of your work?|
|Allow modifications of your work?|
|Yes, no restriction except attribution||Yes, as long as modification are also opensource||No|
(fewest restrictions, even allowing proprietary modifications and proprietary forks of your project, and more up-to-date than BSD license)
(requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)
|Sorry, such licenses are not opensource and are not eligible to become an OWASP Sponsored Project. If this is really what you want, consider using CC-BY-ND or CC-BY-NC-ND. See http://creativecommons.org/choose for more information and note that they label these two license as "not a Free Culture License"|
(prevents GPL's SaaS loophole)
|Library Project||LGPL 3.0
(similar to GPL but modified for use with libraries that may be called by other proprietary programs)
|Document Project (includes E-Learning, presos, books, etc)||CC-BY 3.0|
(like Apache but for documents)
(like GPL but for documents. Alternately you can use GFDL, but projects like Debian and Ubuntu don't accept it)
- As your project reaches a point that you'd like OWASP to assist in its promotion, the OWASP Global Projects Committee will need the following to help spread the word about your project:
- Conference style presentation that describes the tool/document in at least 3 slides,
- Project Flyer/Pamphlet (PDF file),
- If possible, get also the following information together:
B – FIRST RELEASE
- Release Name,
- Release Description,
- Release Downloadable file link
- Release Leader,
- Release Contributor(s),
- Release Reviewer,
- Release Sponsor(s) (if any),
- Release Notes
- Release Main Links (if any),
- Note: For Project/Release Leader, Contributors and Reviewers please create a wiki accounts and please send the links off. See Tutorial and here how to do it and here an example of how it will be used.
- To get your project started, fill out the new project form. We'll review the information and get you set up with a project wiki page, a mailing list, and subscribe you to the OWASP-Leaders list. You'll be part of setting OWASP's direction!
- Check out the Guidelines for OWASP Projects.
These forms were created to help project leaders, and those interested in a going through a process in the OWASP projects infrastrucutre. They faciliate the management of each query based on the specific task an applicant will need help with. The forms are described below, and they are linked with their designated online application form.
- Project Transition Application:The OWASP project transition form gives current project leaders an easy way of handing over project administration information to individuals wishing to take over a project.
- Project Review Application:This form is for current project leaders to request a review of their project based on OWASP graduation criteria. The aim is to designate an OWASP volunteer to review these projects within 3 months time.
- Project Donation Application:This form is for projects outside of the OWASP project infrastructure. Project Leaders for these open source projects can choose to partner or give their project to OWASP directly through this form.
- Project Adoption Request:This form is used when someone is interested in adopting an archived project.
- Project Abandonment Request:The OWASP project abandonment form gives current project leaders an easy way of letting the OWASP Foundation know that they wish to resign their project leader duties. This form should be used when no replacement project leader exists to take over these duties.
- Incubator Project Graduation Application:This application form is for Incubator Projects to apply for Labs Project status.
If you have any questions, please do not hesitate to contact the
OWASP Project Manager, Samantha Groves.
OWASP Project Lifecycle
The OWASP Projects Lifecycle represents a balance between keeping a very loose structure around OWASP projects, and ensuring that OWASP consumers are not confused about a project’s maturity and quality.
The lifecycle stage allows consumers to easily identify mature projects, and projects that are proofs of concept, experimental, and classified as prototypes in their current state. The greater the maturity of the project, the greater the level of responsibility for the project leader. These responsibilities are not trivial as OWASP provides incentives and benefits (Section 7) for projects who take on these added responsibilities.
The OWASP Project Lifecycle is broken down into the following stages:
Incubator Projects: OWASP Incubator projects represent the experimental playground where projects are still being designed, ideas are still being proven, and development is still underway. The “OWASP Incubator” label allows OWASP consumers to readily identify a project’s maturity; morevoer, the label allows project leaders to leverage the OWASP name while their project is still maturing.
OWASP Incubator projects are given a place on the OWASP Projects Portal to leverage the organisation’s infrastructure, and establish their presence and project history.
Labs Projects: OWASP Labs projects represent projects that have produced a deliverable of significant value. Leaders of OWASP Labs projects are expected to stand behind the quality of their projects as these projects have matured to the point where they are accepted by a significant portion of the OWASP community. While these projects are typically not production ready, the OWASP community expects that an OWASP Labs project leader is producing releases that are ready for mainstream usage.
OWASP Labs Projects are meant to be the collection of established projects that have gained community support and acclaim by undergoing the project review process.
OWASP Project Stage Benefits
This section outlines the benefits of starting an OWASP project, and the benefits of being at each different stage in the projects lifecycle. In my short time here at OWASP as the PM, I have had several potential project leaders ask me what the benefits are of starting their project with OWASP. Below is my proposal for each Stage’s benefits.
- Financial Donation Management Assistance
- Project Review Support
- WASPY Awards Nominations
- OWASP OSS and OPT Participation
- Opportunity to submit proposal: $500 for Development.
- Community Engagement and Support
- Recognition and visibility of being associated with the OWASP Brand.
- All benefits given to Incubator Projects
- Technical Writing Support
- Graphic Design Support
- Project Promotion Support
- OWASP OSS and OPT: Preference
- All benefits given to Incubator & Labs Projects
- Grant finding and proposal writing help
- Yearly marketing plan development
- OWASP OSS and OPT participation preference
For more detailed information on OWASP Project Stage Benefits, please see the 2013 Project Handbook.
OWASP Project Graduation
The Project Graduation Process is an optional process undertaken at the request of a project leader using the Incubator Graduation Form. The purpose of this process is to move a project from the OWASP Incubator into the OWASP Labs. In order to be considered for OWASP Labs, an Incubator project must have submitted an OWASP reviewed deliverable, and obtained at least two (2) positive responses for each of the core criteria project health questions.
The review centers around the following core questions. Each core question has three (3) specific questions made up of binary queries. A project must receive at least two (2) positive responses from each reviewer in two of the binary questions, to warrant a postive response for the core question. Each core question must recieve a positive response from both project reviewers to pass the Project Health Assessment for Incubator Projects.
OWASP Project Health Assessment
The Project Health Assessment is an optional process undertaken at the request of a project leader when he/she applies for Project Graduation The purpose of this assessment is to determine whether a project meets the minimum criteria of an OWASP Project outlined in the Project Health Assessment Criteria Document. If a project passes the assessment, it then becomes eligible to graduate into the OWASP Labs Project stage. In order to be considered for OWASP Labs, an Incubator project must have submitted an OWASP reviewed deliverable, and obtained at least two (2) positive responses for each of the core criteria project health questions.
OWASP Project Deliverable/Release Assessment
The Project Deliverable/Release Review is an optional process undertaken at the request of a project leader using the Project Deliverable Review Form. The purpose of this process is to review a project’s progress, and to make sure the project is heading in the right direction based on the roadmap they provided at project inception.
Reviews must be performed by two (2) OWASP Chapter or Project Leaders, and their review must answer affirmatively to at least the first two (2) core Project Deliverable/Release Review questions. A project must pass the OWASP Project Deliverable/Release Assessment in order to graduate into the OWASP Labs Project stage.
The OWASP Flagship designation is given to projects that have demonstrated superior maturity, established quality, and strategic value to OWASP and application security as a whole. OWASP Flagship projects represent projects that are not only mature, but are also projects that OWASP as an organization provides direct support to maintaining.
- OWASP CSRFGuard Project
- OWASP Web Testing Environment Project
- OWASP WebGoat Project
- OWASP Zed Attack Proxy
- OWASP Application Security Verification Standard Project
- OWASP Code Review Guide Project
- OWASP Codes of Conduct
- OWASP Development Guide Project
- OWASP Secure Coding Practices - Quick Reference Guide
- OWASP Software Assurance Maturity Model (SAMM)
- OWASP Testing Guide Project
- OWASP Top Ten Project
OWASP Labs projects represent projects that have produced a deliverable of value. While these projects are typically not production ready, the OWASP community expects that an OWASP Labs project leader is producing releases that are at least ready for mainstream usage.
- OWASP Broken Web Applications Project
- OWASP CSRFTester Project
- OWASP EnDe Project
- OWASP Fiddler Addons for Security Testing Project
- OWASP Forward Exploit Tool Project
- OWASP Hackademic Challenges Project
- OWASP Hatkit Datafiddler Project
- OWASP HTTP POST Tool
- OWASP Java XML Templates Project
- OWASP Joomla Vulnerability Scanner Project
- OWASP LAPSE Project
- OWASP Mantra Security Framework
- OWASP Mutillidae Project
- OWASP O2 Platform
- OWASP Orizon Project
- OWASP Scrubbr
- OWASP Security Assurance Testing of Virtual Worlds Project
- OWASP SWAAT Project
- OWASP Vicnum Project
- OWASP Wapiti Project
- OWASP Web Browser Testing System Project
- OWASP WebScarab Project
- OWASP Webslayer Project
- OWASP WSFuzzer Project
- OWASP Yasca Project
- OWASP AppSec Tutorial Series
- OWASP AppSensor Project
- OWASP Cloud ‐ 10 Project
- OWASP CTF Project
- OWASP Fuzzing Code Database
- OWASP Legal Project
- OWASP Podcast Project
- OWASP Secure Web Application Framework Manifesto
- Virtual Patching Best Practices
OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway. The “OWASP Incubator” label allows OWASP consumers to readily identify a project’s maturity. The label also allows project leaders to leverage the OWASP name while their project is still maturing.
- OWASP Secure the Flag Project
- OWASP OPA
- OWASP Alchemist Project
- OWASP ESOP Framework
- OWASP Java Encoder Project
- OWASP Passfault
- OWASP OctoMS
- OWASP Java Uncertain Form Submit Prevention
- OWASP Ecuador
- OWASP AW00t
- OWASP ONYX
- OWASP WhatTheFuzz Project
- OWASP Security Tools for Developers Project
- OWASP SIMBA Project
- OWASP VFW Project
- OWASP OVAL Content Project
- OWASP WAF Project
- OWASP NAXSI Project
- OWASP Passw3rd Project
- OWASP File Hash Repository
- OWASP WebGoat.NET
- OWASP AJAX Crawling Tool
- OWASP OWTF
- OWASP Path Traverser
- OWASP Watiqay
- OWASP Security Shepherd
- OWASP Xenotix XSS Exploit Framework
- OWASP Mantra OS
- OWASP XSSER
- OWASP Academy Portal Project
- OWASP ASIDE Project
- OWASP Browser Security ACID Test Project
- OWASP iGoat Project
- OWASP Java HTML Sanitizer Project
- OWASP Proxy Project
- OWASP Data Exchange Format Project
- OWASP Cheat Sheets Project
- OWASP Proactive Controls
- OWASP Java/J2EE Secure Development Curriculum
- OWASP Crossword of the Month
- OWASP Secure Password Project
- OWASP Security Baseline Project
- OWASP Software Security Assurance Process
- OWASP Threat Modeling Project
- OWASP Web Application Security Accessibility Project
- OWASP Application Security Requirements Project
- OWASP Common Numbering Project
- OWASP Favicon Database Project
- OWASP Application Security Assessment Standards Project
- OWASP Application Security Program for Managers
- OWASP Application Security Skills Assessment
- OWASP Browser Security Project
- OWASP Computer Based Training Project (OWASP CBT Project)
- OWASP Enterprise Application Security Project
- OWASP Exams Project
- OWASP GoatDroid Project
- OWASP Myth Breakers Project
- OWASP Project Partnership Model
- OWASP Request For Proposal
OWASP Archived Projects are inactive Labs projects. If you are interested in pursuing any of the projects below, please contact us and let us know of your interest.
- OWASP Access Control Rules Tester Project
- OWASP Application Security Metrics Project
- OWASP AppSec FAQ Project
- OWASP ASDR Project
- OWASP Backend Security Project
- OWASP Best Practices: Use of Web Application Firewalls
- OWASP CAL9000 Project
- OWASP CLASP Project
- OWASP CodeCrawler Project
- OWASP Content Validation using Java Annotations Project
- OWASP DirBuster Project
- OWASP Encoding Project
- OWASP Google Hacking Project
- OWASP Insecure Web App Project
- OWASP Interceptor Project
- OWASP JSP Testing Tool Project
- OWASP LiveCD Education Project
- OWASP Logging Guide
- OWASP NetBouncer Project
- OWASP OpenPGP Extensions for HTTP - Enigform and mod_openpgp Project
- OWASP OpenSign Server Project
- OWASP Pantera Web Assessment Studio Project
- OWASP PHP Project
- OWASP Report Generator
- OWASP Ruby on Rails Security Guide V2
- OWASP Scholastic Application Security Assessment Project
- OWASP Security Analysis of Core J2EE Design Patterns Project
- OWASP Security Spending Benchmarks Project
- OWASP Site Generator Project
- OWASP Skavenger Project
- OWASP Source Code Flaws Top 10 Project
- OWASP Sprajax Project
- OWASP Sqlibench Project
- OWASP sqliX Project
- OWASP Stinger Project
- OWASP Teachable Static Analysis Workbench Project
- OWASP Tiger
- OWASP Tools Project
- OWASP Uniform Reporting Guidelines
- OWASP Webekci Project
OWASP stands for informed security decisions based on a solid, comprehensive understanding of the business risk associated with an application. OWASP's philosophy is that achieving security involves all parts of an organization, including people, process, and technology. We support the use of our brand consistent with this philosophy. However, we cannot allow the use of our brand when it implies something inconsistent with OWASP's comprehensive and balanced approach to application security. Therefore, we have defined these brand usage rules to clarify appropriate and inappropriate uses of the OWASP brand, including our name, domain, logos, project names, and other trademarks.
Brand Usage Rules
The following rules make reference to all OWASP marketing and graphic materials. This refers to any tools, documentation, or other content from OWASP. The rules also make reference to "OWASP Published Standards" which are currently in the process of being developed and released. Currently there are no OWASP Published Standards.
- The OWASP Brand may be used to direct people to the OWASP website for information about application security.
- The OWASP Brand may be used in commentary about the materials found on the OWASP website.
- The OWASP Brand may be used by OWASP Members in good standing to promote a person or company's involvement in OWASP.
- The OWASP Brand may be used in association with an application security assessment only if a complete and detailed methodology, sufficient to reproduce the results, is disclosed.
- The OWASP Brand must not be used in a manner that suggests that The OWASP Foundation supports, advocates, or recommends any particular product or technology.
- The OWASP Brand must not be used in a manner that suggests that a product or technology is compliant with any OWASP Materials other than an OWASP Published Standard.
- The OWASP Brand must not be used in a manner that suggests that a product or technology can enable compliance with any OWASP Materials other than an OWASP Published Standard.
- The OWASP Brand must not be used in any materials that could mislead readers by narrowly interpreting a broad application security category. For example, a vendor product that can find or protect against forced browsing must not claim that they address all of the access control category.
- The OWASP Brand may be used by special arrangement with The OWASP Foundation.
- OWASP Logo Toolbox: This includes all of OWASP's logo image files in various formats.
- OWASP Business Card Templates: This includes the front and back PSD files for the OWASP Business Card.
- Submit your application using the [https://spreadsheets.google.com/a/owasp.org/spreadsheet/viewform?formkey=dF85bGtvdWdrd2JjYldNZ1gxSkJxaEE6MQ
OWASP Merchandise Request Form].
- OWASP Flyer
- OWASP 2012 Standard Print Ad
- OWASP 2012 A4 Print Ready Ad
- OWASP 2012 A4-2 Print Ready Ad
These slides are presented at Global AppSec Conferences by the Global Board to provide a high level overview of OWASP and to highlight some of the key initiatives at a Global level. This can be presented in its current form at OWASP Chapter meetings to enable a clarification of the mission and purpose of the local chapter. This can also be used or sent to the press/media when looking for an "overview of owasp".
The OWASP press is a pattern for massive community collaboration on OWASP documentation projects with just-in-time publication. Visit the OWASP Press Page for more information.
OWASP Projects Dictionary
OWASP Project Lifecycle:
- OWASP Project Lifecycle
- Incubator Project
- Labs Project
- Flagship Project
- Project Benefits
OWASP Project Reviews:
- Project Reviews
- Project Reviewer Pool
- Project Graduation
- Project Health
- Project Health Assessment
- Project Release
- Project Deliverable
- Project Deliverable/Release Review
OWASP Project Processes:
- Project Processes
- Project Inception Process
- Project Donation Process
- Project Transition Process
- Project Abandonment Process
- Incubator Graduation Process
- New Project Application Process
Projects at Conferences:
- AppSec Conferences
- Open Source Showcase
- OWASP Project Track
OWASP Projects General:
- OWASP Code of Ethics
- OWASP Standards
- Community Friendly/Open Source Licenses
Donate to OWASP Projects Division
OWASP Projects, a global division of the OWASP Foundation, is run under the same world wide not-for-profit charitable status as all the foundation strategic groups. OWASP provides a platform for contributors to share their work while providing them with the project and community support they need throughout their project development. All OWASP Projects are run by volunteers and they rely on personal donations and sponsorship to continue their development. Donate to OWASP Projects, and we promise to spend your money wisely on open source initiatives.
This is how your money can help:
- $20 could help us spread the word on the importance of open source initiatives in the Application Security industry.
- $100 could help fund OWASP project demos at major conferences.
- $250 could help get our volunteer Project Leaders to speaking engagements.
OWASP Project Sponsors
Security Podcast with Jim Manico
|The OWASP foundation presents the OWASP PODCAST SERIES hosted and produced by Jim Manico. Listen as interviews are conducted with OWASP volunteers, industry experts and leaders within the field of software security. Visit the Podcast Page for more information.|
OWASP Appsec Tutorial Series with Jerry Hoff
|The OWASP AppSec Tutorial Series project provides a video based means of conveying complex application security concepts in an easily accessible and understandable way. Each video is approximately 5-10 minutes long and highlights one or more specific application security concepts, tools, or methodologies. The goal of the project is quite simple and yet quite audacious - provide top notch application security video based training... for free! Visit the Tutorial Series Page for more information.|
OWASP Global Projects Announcements
Open Source Project Track Opportunities at AppSec APAC 2013
The AppSec APAC conference organizers, in conjunction with the Global Projects Division, is pleased to announce a Call for Entries for the OWASP Projects Track (OPT).
We are offering a limited number of speaking opportunities to open source projects this year, as well as FREE conference admission for the representatives of the chosen projects. We would like to invite ALL open source projects to apply.
For an opportunity to present your open source project through the OPT at AppSec APAC 2013, please submit your application using the OSPT APAC 2013 Application.
OPT Applications are due: December 28, 2012
February 19-22, 2013
All OPT Talks will be held between February 21-22, 2013.
Hyatt Regency Jeju
Samantha Groves: OWASP Project Manager
GPC Meeting Reports
- GPC Meeting: August 24 2012 Project Manager Report
- GPC Meeting: September 07 2012 Project Manager Report
- GPC Meeting: September 14 2012 Project Manager Report
- GPC Meeting: September 21 2012 Project Manager Report
- GPC Meeting: September 28 2012 Project Manager Report
- GPC Meeting: October 05 2012 Project Manager Report
- GPC Meeting: October 12 2012 Project Manager Report
- GPC Meeting: October 19 2012 Project Manager Report
- GPC Meeting: November 09 2012 Project Manager Report
- GPC Meeting: November 16 2012 Project Manager Report
- GPC Meeting: November 30 2012 Project Manager Report
- GPC Meeting: December 07 2012 Project Manager Report
- GPC Meeting: December 14 2012 Project Manager Report
- GPC Meeting: December 21 2012 Project Manager Report
- GPC Meeting: December 27 2012 Project Manager Report
Board Meeting Reports
- Board Meeting: August 2012 Project Manager Report
- Board Meeting: September 2012 Project Manager Report
- Board Meeting: October 2012 Project Manager Report
- Board Meeting: November 2012 Project Manager Report
- Board Meeting: December 2012 Project Manager Report
Project Manger's Quarterly Strategic Objectives
Goals and Objectives: 2012 Q4
- Identify and initiate 3 grant opportunities.
- Complete metadata for Salesforce import related to projects.
- Finalise and launch the Project database communication tool and webpage
- Complete the project lifecycle redesign
- Sort out levels and stages for projects.
- Determine and define landmarks for project advancement.
- Document release stages and reviewer participation.
- Update Project handbook
- Document process for project donation.
- Define and develop process for project advancement.
- Define and develop process for funding requests.
Contact the Project Manager
If you need any help with anything projects related, or if you simply need some more information, please do not hesitate to contact the OWASP Project Manager, Samantha Groves.
|Jason has led security architecture reviews, application security code reviews, penetration tests and provided web application security training services for a variety of commercial, financial, and government customers. He is also actively involved in the Open Web Application Security Project (OWASP), serving on the OWASP Global Projects Committee and as a co-author of the OWASP AntiSamy Project (Java version). Jason earned his Post-Master's degree in Computer Science with a concentration in Information Assurance from Johns Hopkins University. He earned his Master's degree in Computer Science from Cornell University, where he also earned his Bachelor's degree, double majoring in Computer Science and Operations Research.
Past conference presentations include:
| Over the years Keith has held a number of positions at The Boeing Company including: Application Security Assessments team leader, Team Leader for IT Security International Operations, Team Leader for Information and Supply Chain Security Assessments, engineering systems integrator, software developer and senior manufacturing engineer on the 747 airplane program.
He represented Boeing on the International Committee for Information Technology Standard's cyber security technical committee and served as a U.S. delegate to the ISO/IEC sub-committee on cyber security.
He is a member of the (ISC)2 Application Security Advisory Board, and the Director of the HPPV Northwest regional engineering competition.
You can see his OWASP project on secure coding practices here: http://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
The presentation on his OWASP project at AppSec USA 2010 can be found here: http://vimeo.com/17018329
You can see the video of his AppSec USA 2009 presentation on Building Security Assessment Teams here: http://vimeo.com/8989378
- Samantha Groves: OWASP Project Manager
Global Project Committee Members
- Jason Li: Acting Committee Chair
- Brad Causey: Committee Member
- Chris Schmidt: Committee Member
- Justin Searle: Committee Member
- Nishi Kumar: Committee Member
- Keith Turpin: Committee Member
If you need any help with anything projects related, or if you simply need some more information, please do not hesitate to contact the OWASP Project Manager, Samantha Groves.