[Owasp-leaders] RFC: Assessment Criteria v2 in pictures

Pravir Chandra chandra at owasp.org
Tue Nov 3 16:26:49 EST 2009

I definitely like the idea since it's a lot more well-defined than what we
had originally thought of as "activities & research". I see the clear
distinction as being a project that cross-cuts all other projects vs. a
project that is actually a meta-collection of other projects based on a
specific topic.

For the first group, I like the name "Infrastructure Project" since that
would contain all the language projects as well as things like the Book
Cover project. Criteria for rating such a project could be kept in sync with
the projects that are cross-cut. For instance, the Spanish Language project
would be at level 2 if there was a translation for all the level 2 projects.
Nice and simple.

For the second group, I propose the name "Project Family" and I also propose
that we don't rate them at all. Let's make it easy for Project Families to
pop up so that way, we have some "folksonomy" structure, i.e. 'tagging',
that occurs above the project level so that we can being to group and play
with the large number of projects out there. Trying to rate such projects
would be difficult and error-prone and discourage people from making such
logical relationships. Beyond the obvious examples of an "OWASP Guides
Family" or an "ESAPI Family", we could even make some like a "CISO Family"
or "Architect Family" to start improving project usability off the bat.

What do you guys think?


On Tue, Nov 3, 2009 at 1:06 PM, Juan Carlos Calderon Rojas <
juan.calderon at softtek.com> wrote:

>  Matt and Pravir
> I think the "umbrella" or "concentrator" project figure might be defined,
> either as :
> 1) Categories (anyway current projects are categories in MediaWiki). Ther
> would be a category for ESAPI and a project for each implementation. Or
> 2) ESAPI will be the project and technology specific implementations would
> be treated as flavors or releases but under the existent project, not as
> individual projects. I guess this model is not really good for they way
> OWASP currently works on having anyone participate.
> I agree with Jeff that Internationalization and Language projects might be
> considered "Infrastructure" or I would say "staff" projects (maintenace of
> Wiki should be a project don't you think?).
> So we have 2 more "Project Types"?, concentrator and staff?.
> Regards,
>  *Juan Carlos *
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Matt Tesauro
> Sent: Lunes, 02 de Noviembre de 2009 02:58 p.m.
> To: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] RFC: Assessment Criteria v2 in pictures
> Juan - sorry for the delayed reply.  AppSec Brazil kept me busy last
> week.
> When I was drafting the Acceptance Criteria (ACv2), I realized that
> there would be some projects that don't fall easily into either the
> 'tools' or 'documentation' buckets.  To handle this situation, I created
> a third category called "Research and Activities"
> http://www.owasp.org/index.php/Research_and_Activities_Criteria
> For these projects, we talked about using a subset of both the
> documentation & tool assessment criteria to evaluate those project's
> releases.  What that subset was would be determined by the project in
> question.  Hopefully, for things like translation, we can use the first
> language's project as a template for any other languages that follow.
> My thinking was that it was better to have this category and sort those
> out on a case-by-case basis then try and make ACv2 abstract enough to
> handle all situations.  OWASP ESAPI is another example of a project in
> this category - an umbrella project to be specific.
> However, the above is all about project _releases_.  The level business
> is about project health. We've not worked out the details for project
> health:
> http://www.owasp.org/index.php/Assessing_Project_Health
> and that is still in 'draft' status.  However, with input like yours,
> we're much more likely to handle the _all_ projects so thanks for
> raising the concerns below.
> Hope that helps clarify what the GPC was thinking.  If I've left
> something out or missed something, please let me know.
> -
> -- Matt Tesauro
> OWASP Live CD Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> On Fri, 2009-10-30 at 17:07 -0400, Calderon, Juan Carlos (GE, Corporate,
> consultant) wrote:
> > I have a few doubts on the applicability of the criteria for
> > "multi-deliverable" or no deliverable (like language) projects as this
> > is the type of project I am leading. I hope you can help me understand
> > how I could promote them to level 3.
> >
> > Example 1: Classic ASP Security Project, We have 2 major deliverables,
> > 1) Stinger Project ver 1.0 that is release level as it is auto
> > documented and include examples in downloadable file. and ESAPI for
> > classic ASP that is Beta level, lacks documentation and has some well
> > know issues in Windows XP. What would be the level applicable for this
> > project, the lowest? if so by removing ESAPI for Classic ASP it will
> > automatically reach level 2 due to Stinger?.
> >
> > Example 2: Spanish Internationalization project. There is no external
> > deliverables, no book, no document, no tool. But only guidelines and
> > advice on creating language projects for OWASP, there is no intention
> > of making the documents impact the industry, would this be a forever
> > level 1 project?.
> >
> > Regards,
> > Juan Carlos
> >
> >
> > ______________________________________________________________________
> > From: owasp-leaders-bounces at lists.owasp.org
> > [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Pravir
> > Chandra
> > Sent: Viernes, 30 de Octubre de 2009 12:16 p.m.
> > To: owasp-leaders at lists.owasp.org
> > Subject: [Owasp-leaders] RFC: Assessment Criteria v2 in pictures
> >
> >
> >
> > Hey Everyone.
> >
> >
> > The Global Projects Committee had established version 2 of the
> > Assessment Criteria awhile back, but there was still a lot of
> > confusion about what we were asking for at various stages and what it
> > all meant. I can personally assure everyone that we're trying our best
> > to NOT make a confusing bureaucratic process, but the perception might
> > have been that way in the past.
> >
> >
> > So, to try to help address this problem, myself and the GPC put
> > together some diagrams to reflect the requirements of the new
> > assessment criteria. They're attached... as much as I hate to spam
> > graphic attachments to everyone, I'm doing it anyway since it's more
> > likely you'll look at them if it's less clicks :)
> >
> >
> > Take a look at the "Summary" one first. We would love to hear your
> > feedback on these. Namely,
> >  * Is it clear how we are separating a project's rating from the
> > individual releases the project makes? If not, what is confusing?
> >  * Do you understand what is required to advance a project's rating?
> > If not, what's missing?
> >  * Do you know how to apply the release criteria to your project? Is
> > the review process for alpha/beta/stable clear? If not, why?
> >
> >
> > We ultimately want to have a clarifying wiki page for each 'box' on
> > the Project Criteria and Release Criteria diagram, but we thought we'd
> > get this out to the leaders list to get your insight on improvements
> > first.
> >
> >
> > Thanks, and we hope to hear back! (you can just reply to this list and
> > not bother CC'ing the GPC list since we're all on this one too)
> >
> >
> > p.
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091103/cca14109/attachment-0001.html 

More information about the OWASP-Leaders mailing list