[Owasp-leaders] RFC: Assessment Criteria v2 in pictures

Jeff Williams jeff.williams at owasp.org
Fri Oct 30 23:50:23 EDT 2009


Example 2 seems to me to be what I would call an infrastructure project for
our community. And they probably need to be rated on a different scale -
something related to how well they help us achieve our mission.

--Jeff


> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-
> bounces at lists.owasp.org] On Behalf Of Pravir Chandra
> Sent: Friday, October 30, 2009 10:45 PM
> To: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] RFC: Assessment Criteria v2 in pictures
> 
> These are great questions and precisely the reason we wanted to share
> our thoughts. I have no idea what the right answers are, so what do
> you think? I have the following initial thoughts:
> 
> For example 1, why wouldn't we just consider Stinger and ESAPI for
> Classic ASP as two separate projects? If their only tie in is that
> they are both related to Classic ASP, then maybe this makes the most
> sense. Just a thought tho, what does everyone else think?
> 
> For example 2, that's much tougher. I really am not having any crisp
> ideas on how to handle projects like this. What other projects fit
> into this same category (leaders, speak up here!)? Clearly it doesn't
> make sense to permanently brand the project as level 1, but is this a
> unique project that needs an exception process (and perhaps all
> language specific projects)? Perhaps we rate it in meta terms, i.e. if
> all level 3 projects have been translated, then the language project
> is level 3? Again, just throwing out ideas for comment.
> 
> Any others on the list with thoughts?
> 
> p.
> 
> 
> On 10/30/09, Calderon, Juan Carlos (GE, Corporate, consultant)
> <juan.calderon at ge.com> wrote:
> > I have a few doubts on the applicability of the criteria for
> > "multi-deliverable" or no deliverable (like language) projects as
> this
> > is the type of project I am leading. I hope you can help me
> understand
> > how I could promote them to level 3.
> >
> > Example 1: Classic ASP Security Project, We have 2 major
> deliverables,
> > 1) Stinger Project ver 1.0 that is release level as it is auto
> > documented and include examples in downloadable file. and ESAPI for
> > classic ASP that is Beta level, lacks documentation and has some well
> > know issues in Windows XP. What would be the level applicable for
> this
> > project, the lowest? if so by removing ESAPI for Classic ASP it will
> > automatically reach level 2 due to Stinger?.
> >
> > Example 2: Spanish Internationalization project. There is no external
> > deliverables, no book, no document, no tool. But only guidelines and
> > advice on creating language projects for OWASP, there is no intention
> of
> > making the documents impact the industry, would this be a forever
> level
> > 1 project?.
> >
> > Regards,
> > Juan Carlos
> >
> > ________________________________
> >
> > From: owasp-leaders-bounces at lists.owasp.org
> > [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Pravir
> > Chandra
> > Sent: Viernes, 30 de Octubre de 2009 12:16 p.m.
> > To: owasp-leaders at lists.owasp.org
> > Subject: [Owasp-leaders] RFC: Assessment Criteria v2 in pictures
> >
> >
> > Hey Everyone.
> >
> > The Global Projects Committee had established version 2 of the
> > Assessment Criteria awhile back, but there was still a lot of
> confusion
> > about what we were asking for at various stages and what it all
> meant. I
> > can personally assure everyone that we're trying our best to NOT make
> a
> > confusing bureaucratic process, but the perception might have been
> that
> > way in the past.
> >
> > So, to try to help address this problem, myself and the GPC put
> together
> > some diagrams to reflect the requirements of the new assessment
> > criteria. They're attached... as much as I hate to spam graphic
> > attachments to everyone, I'm doing it anyway since it's more likely
> > you'll look at them if it's less clicks :)
> >
> > Take a look at the "Summary" one first. We would love to hear your
> > feedback on these. Namely,
> >  * Is it clear how we are separating a project's rating from the
> > individual releases the project makes? If not, what is confusing?
> >  * Do you understand what is required to advance a project's rating?
> If
> > not, what's missing?
> >  * Do you know how to apply the release criteria to your project? Is
> the
> > review process for alpha/beta/stable clear? If not, why?
> >
> > We ultimately want to have a clarifying wiki page for each 'box' on
> the
> > Project Criteria and Release Criteria diagram, but we thought we'd
> get
> > this out to the leaders list to get your insight on improvements
> first.
> >
> > Thanks, and we hope to hear back! (you can just reply to this list
> and
> > not bother CC'ing the GPC list since we're all on this one too)
> >
> > p.
> >
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list