[Owasp-leaders] RFC: Assessment Criteria v2 in pictures

Matt Tesauro mtesauro at gmail.com
Mon Nov 2 15:58:03 EST 2009

Juan - sorry for the delayed reply.  AppSec Brazil kept me busy last

When I was drafting the Acceptance Criteria (ACv2), I realized that
there would be some projects that don't fall easily into either the
'tools' or 'documentation' buckets.  To handle this situation, I created
a third category called "Research and Activities"


For these projects, we talked about using a subset of both the
documentation & tool assessment criteria to evaluate those project's
releases.  What that subset was would be determined by the project in
question.  Hopefully, for things like translation, we can use the first
language's project as a template for any other languages that follow.

My thinking was that it was better to have this category and sort those
out on a case-by-case basis then try and make ACv2 abstract enough to
handle all situations.  OWASP ESAPI is another example of a project in
this category - an umbrella project to be specific.

However, the above is all about project _releases_.  The level business
is about project health. We've not worked out the details for project
and that is still in 'draft' status.  However, with input like yours,
we're much more likely to handle the _all_ projects so thanks for
raising the concerns below.

Hope that helps clarify what the GPC was thinking.  If I've left
something out or missed something, please let me know.

-- Matt Tesauro
OWASP Live CD Project Lead
http://AppSecLive.org - Community and Download site

On Fri, 2009-10-30 at 17:07 -0400, Calderon, Juan Carlos (GE, Corporate,
consultant) wrote:
> I have a few doubts on the applicability of the criteria for
> "multi-deliverable" or no deliverable (like language) projects as this
> is the type of project I am leading. I hope you can help me understand
> how I could promote them to level 3.
> Example 1: Classic ASP Security Project, We have 2 major deliverables,
> 1) Stinger Project ver 1.0 that is release level as it is auto
> documented and include examples in downloadable file. and ESAPI for
> classic ASP that is Beta level, lacks documentation and has some well
> know issues in Windows XP. What would be the level applicable for this
> project, the lowest? if so by removing ESAPI for Classic ASP it will
> automatically reach level 2 due to Stinger?.
> Example 2: Spanish Internationalization project. There is no external
> deliverables, no book, no document, no tool. But only guidelines and
> advice on creating language projects for OWASP, there is no intention
> of making the documents impact the industry, would this be a forever
> level 1 project?.
> Regards,
> Juan Carlos
> ______________________________________________________________________
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Pravir
> Chandra
> Sent: Viernes, 30 de Octubre de 2009 12:16 p.m.
> To: owasp-leaders at lists.owasp.org
> Subject: [Owasp-leaders] RFC: Assessment Criteria v2 in pictures
> Hey Everyone. 
> The Global Projects Committee had established version 2 of the
> Assessment Criteria awhile back, but there was still a lot of
> confusion about what we were asking for at various stages and what it
> all meant. I can personally assure everyone that we're trying our best
> to NOT make a confusing bureaucratic process, but the perception might
> have been that way in the past.
> So, to try to help address this problem, myself and the GPC put
> together some diagrams to reflect the requirements of the new
> assessment criteria. They're attached... as much as I hate to spam
> graphic attachments to everyone, I'm doing it anyway since it's more
> likely you'll look at them if it's less clicks :)
> Take a look at the "Summary" one first. We would love to hear your
> feedback on these. Namely,
>  * Is it clear how we are separating a project's rating from the
> individual releases the project makes? If not, what is confusing?
>  * Do you understand what is required to advance a project's rating?
> If not, what's missing?
>  * Do you know how to apply the release criteria to your project? Is
> the review process for alpha/beta/stable clear? If not, why?
> We ultimately want to have a clarifying wiki page for each 'box' on
> the Project Criteria and Release Criteria diagram, but we thought we'd
> get this out to the leaders list to get your insight on improvements
> first.
> Thanks, and we hope to hear back! (you can just reply to this list and
> not bother CC'ing the GPC list since we're all on this one too)
> p.
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list