[GPC] New OWASP Project - OWASP Broken Web Applications (OWASPBWA)

Paulo Coimbra paulo.coimbra at owasp.org
Fri Jan 29 11:35:59 EST 2010

Hello Doug,

First of all, thank you for volunteering to lead an OWASP Project.  It is
with volunteers like yourself that OWASP continues to succeed in making
application security visible.

Second, regarding your new leadership of this project, I'd like to request
that you send a project roadmap - basically the high level details of where
you'd like to take the project.  The OWASP Global Projects Committee (GPC)
will look at the roadmap and provide feedback on your project:  suggesting
projects which are closely related, resources and contacts which may assist
your efforts and any other suggestions to increase your project's success.


To get your project started, here are a couple of references for your

 - The Guidelines for OWASP Projects provide a quick overview of items key
to a projects success -

 - OWASP's Assessment Criteria is the metric by which projects are
evaluated.  There are three categories for projects: Alpha, Beta, and
Release.  The Assessment Criteria allows project leaders to know what
aspects of projects OWASP values -


 - OWASP's GPC blog - http://globalprojectscommittee.wordpress.com/,

Your project will have an OWASP wiki page to inform and promote your project
to the OWASP community.  To setup your project's page, please provide the
details below so that the GPC can establish your initial project page.  The
details provided will be used to complete OWASP's project template.  Feel
free to add any additional information to wiki page or request assistance
about how to add to your projects wiki page.

Details to create your project page:
(0) Project Name,

(1) Project purpose / overview,
(2) Project Roadmap (as mentioned above),
(3) Project links (if any) to external sites,
(4) Project License
(5) Project Leader name, 

(6) Project Leader email address,
(7) Project Leader wiki account - the username (you'll need this to edit the
(8) Project Maintainer (if any)  - name, email and wiki account (if any),
(9) Project Contributor(s) (if any) - name email and wiki account (if any),

As your project reaches a point that you'd like OWASP to assist in its
promotion, the GPC will need the following to help spread the word about
your project:

 * Conference style presentation describing the project in at least 3 slides

 * Project Flyer/Pamphlet (PDF file) -

As work on your project progresses and you are ready to create a release,
please let the GPC know of the change in status.  The GPC can work with you
to get your project assessed and moved up the OWASP quality ladder from
Alpha to Beta to Stable.  Every release does not require an assessment -
feel free to email the GPC if you are unsure about your project's
requirements.  For examples of projects at various quality levels, please
see the OWASP Project page -

That is all for now - I wish you and your project great success.  Thank you
for supporting OWASP's mission.

Should you have any questions or require any further information, please do
not hesitate to contact me. 

Many thanks, best regards,


Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager


From: Doug Wilson [mailto:doug.wilson at owasp.org] 
Sent: quinta-feira, 28 de Janeiro de 2010 21:19
To: Paulo Coimbra; Matt Tesauro; Pravir Chandra; bradcausey at gmail.com;
jason.li at aspectaecurity.com
Cc: Chuck Willis
Subject: Re: New OWASP Project - OWASP Broken Web Applications (OWASPBWA)


Hey folks (hopefully you all are still on the GPC, if not, sorry for
spamming you)

Just passing this along for comment -- sorry if I should have emailed the
GPC mailing list, but I thought I couldn't email it if I wasn't a member.

Is there any way that we can get some feedback on this? I have some edit
access to the wiki so I could populate a page if needed if it's given a "go

The reason that I am asking is that Chuck just presented on this at DoD
Cybercrime, and I'm going to be presenting on it at Shmoocon next week --
we'd love to be able to give out an actual OWASP URL for the project, rather
than say that we hope to have it be a project in the near future.

Please let us know if you need any more info or have any other questions.



On Thu, Jan 14, 2010 at 9:18 PM, Chuck Willis <chuck at securityfoundry.com>

Hello Paulo,

  I would like to establish a new OWASP project called OWASP Broken
Web Applications.  In short, this is a VM of vulnerable web
applications that can be easy deployed for learning, testing, etc.  It
include OWASP Vicnum and OWASP WebGoat, along with some other open
source projects from other sources.

  I have released version 0.9 at the OWASP AppSec DC conference, but
it hasn't gotten a lot of activity yet.  I'm hoping that getting
established as an official OWASP project with a web page on OWASP.org
will help in that regards.

  Below is the information that it requested for new projects on the
OWASP wiki:


  1. Project Name - OWASP Broken Web Applications
  2. Project Purpose - a collection of vulnerable web applications
that is distributed on a Virtual Machine
  3. Project License - Any custom code / modifications are GPLv2, but
this does not override the license of each individual software package
we incorporate.  All software is open source.
  4. Project Leader - Chuck Willis, chuck at securityfoundry.com,
  5. Project Maintainer - Not sure what this means vs the Leader
  6. Project Contributor(s) - Doug Wilson, doug.wilson at owasp.org,
  7. Conference style presentation that describes the tool in at
least 3 slides - I spoke on this project at the OWASP AppSec DC
Conference in 2009.  Slides are available at
  8. Project Flyer/Pamphlet (PDF file) - I don't have this yet, but
we can create one if necessary.
  9. Project Roadmap - We have released version 0.9 and we have two
main efforts underway.  First I plan to document some of the existing
vulnerabilities that are in the VM so far.  Second, I have additional
vulnerable applications that I am looking to add.  I expect a 1.0
release in the middle of 2010.  Version 0.9 is entirely usable, it
just doesn't have a whole lot of applications on it (see list at
 10. Project main links - Main site for the project is on Google Code
at http://code.google.com/p/owaspbwa/. (though the code is not
currently in their SVN repository, but it is all on the VM that is
available for download).  We have a Google Group as well at
http://groups.google.com/group/owaspbwa (I'd rather use than than a
traditional OWASP mailing list unless a mailing list is required to be
an official OWASP project)

  One thing not asked about there is Sponsorship.  Doug and I both
work for Mandiant and they are sponsoring some of our work on this.
I'd like to include a link to the Mandiant home page
(www.mandiant.com) on the project page if possible.

  Please let me know if you need any other information.  We are
looking forward to getting OWASPBWA into the official OWASP fold!


Doug Wilson



OWASP DC Chapter Co-Chair


AppSec US 09 Organizer


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/global-projects-committee/attachments/20100129/8efd8124/attachment.html 

More information about the Global-projects-committee mailing list