[Owasp-leaders] RFC: Assessment Criteria v2 in pictures

Pravir Chandra chandra at owasp.org
Fri Oct 30 22:44:31 EDT 2009

These are great questions and precisely the reason we wanted to share
our thoughts. I have no idea what the right answers are, so what do
you think? I have the following initial thoughts:

For example 1, why wouldn't we just consider Stinger and ESAPI for
Classic ASP as two separate projects? If their only tie in is that
they are both related to Classic ASP, then maybe this makes the most
sense. Just a thought tho, what does everyone else think?

For example 2, that's much tougher. I really am not having any crisp
ideas on how to handle projects like this. What other projects fit
into this same category (leaders, speak up here!)? Clearly it doesn't
make sense to permanently brand the project as level 1, but is this a
unique project that needs an exception process (and perhaps all
language specific projects)? Perhaps we rate it in meta terms, i.e. if
all level 3 projects have been translated, then the language project
is level 3? Again, just throwing out ideas for comment.

Any others on the list with thoughts?


On 10/30/09, Calderon, Juan Carlos (GE, Corporate, consultant)
<juan.calderon at ge.com> wrote:
> I have a few doubts on the applicability of the criteria for
> "multi-deliverable" or no deliverable (like language) projects as this
> is the type of project I am leading. I hope you can help me understand
> how I could promote them to level 3.
> Example 1: Classic ASP Security Project, We have 2 major deliverables,
> 1) Stinger Project ver 1.0 that is release level as it is auto
> documented and include examples in downloadable file. and ESAPI for
> classic ASP that is Beta level, lacks documentation and has some well
> know issues in Windows XP. What would be the level applicable for this
> project, the lowest? if so by removing ESAPI for Classic ASP it will
> automatically reach level 2 due to Stinger?.
> Example 2: Spanish Internationalization project. There is no external
> deliverables, no book, no document, no tool. But only guidelines and
> advice on creating language projects for OWASP, there is no intention of
> making the documents impact the industry, would this be a forever level
> 1 project?.
> Regards,
> Juan Carlos
> ________________________________
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Pravir
> Chandra
> Sent: Viernes, 30 de Octubre de 2009 12:16 p.m.
> To: owasp-leaders at lists.owasp.org
> Subject: [Owasp-leaders] RFC: Assessment Criteria v2 in pictures
> Hey Everyone.
> The Global Projects Committee had established version 2 of the
> Assessment Criteria awhile back, but there was still a lot of confusion
> about what we were asking for at various stages and what it all meant. I
> can personally assure everyone that we're trying our best to NOT make a
> confusing bureaucratic process, but the perception might have been that
> way in the past.
> So, to try to help address this problem, myself and the GPC put together
> some diagrams to reflect the requirements of the new assessment
> criteria. They're attached... as much as I hate to spam graphic
> attachments to everyone, I'm doing it anyway since it's more likely
> you'll look at them if it's less clicks :)
> Take a look at the "Summary" one first. We would love to hear your
> feedback on these. Namely,
>  * Is it clear how we are separating a project's rating from the
> individual releases the project makes? If not, what is confusing?
>  * Do you understand what is required to advance a project's rating? If
> not, what's missing?
>  * Do you know how to apply the release criteria to your project? Is the
> review process for alpha/beta/stable clear? If not, why?
> We ultimately want to have a clarifying wiki page for each 'box' on the
> Project Criteria and Release Criteria diagram, but we thought we'd get
> this out to the leaders list to get your insight on improvements first.
> Thanks, and we hope to hear back! (you can just reply to this list and
> not bother CC'ing the GPC list since we're all on this one too)
> p.

More information about the OWASP-Leaders mailing list