[Owasp-leaders] RFC: Assessment Criteria v2 in pictures

Calderon, Juan Carlos (GE, Corporate, consultant) juan.calderon at ge.com
Fri Oct 30 17:07:31 EDT 2009

I have a few doubts on the applicability of the criteria for
"multi-deliverable" or no deliverable (like language) projects as this
is the type of project I am leading. I hope you can help me understand
how I could promote them to level 3.
Example 1: Classic ASP Security Project, We have 2 major deliverables,
1) Stinger Project ver 1.0 that is release level as it is auto
documented and include examples in downloadable file. and ESAPI for
classic ASP that is Beta level, lacks documentation and has some well
know issues in Windows XP. What would be the level applicable for this
project, the lowest? if so by removing ESAPI for Classic ASP it will
automatically reach level 2 due to Stinger?.
Example 2: Spanish Internationalization project. There is no external
deliverables, no book, no document, no tool. But only guidelines and
advice on creating language projects for OWASP, there is no intention of
making the documents impact the industry, would this be a forever level
1 project?.
Juan Carlos


From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Pravir
Sent: Viernes, 30 de Octubre de 2009 12:16 p.m.
To: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] RFC: Assessment Criteria v2 in pictures

Hey Everyone. 

The Global Projects Committee had established version 2 of the
Assessment Criteria awhile back, but there was still a lot of confusion
about what we were asking for at various stages and what it all meant. I
can personally assure everyone that we're trying our best to NOT make a
confusing bureaucratic process, but the perception might have been that
way in the past.

So, to try to help address this problem, myself and the GPC put together
some diagrams to reflect the requirements of the new assessment
criteria. They're attached... as much as I hate to spam graphic
attachments to everyone, I'm doing it anyway since it's more likely
you'll look at them if it's less clicks :)

Take a look at the "Summary" one first. We would love to hear your
feedback on these. Namely,
 * Is it clear how we are separating a project's rating from the
individual releases the project makes? If not, what is confusing?
 * Do you understand what is required to advance a project's rating? If
not, what's missing?
 * Do you know how to apply the release criteria to your project? Is the
review process for alpha/beta/stable clear? If not, why?

We ultimately want to have a clarifying wiki page for each 'box' on the
Project Criteria and Release Criteria diagram, but we thought we'd get
this out to the leaders list to get your insight on improvements first.

Thanks, and we hope to hear back! (you can just reply to this list and
not bother CC'ing the GPC list since we're all on this one too)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091030/de9511f2/attachment.html 

More information about the OWASP-Leaders mailing list