OWASP 2014 Project Handbook OWASP Project Lifecycle

OWASP Project Lifecyle
Projects, along with Global Conferences and Local Chapters, are the cornerstone of the OWASP organization. We want to provide a fostering environment for new ideas and energetic Project Leaders; however, our global consumers depend on OWASP to provide dependable, quality projects. The OWASP Project Lifecycle represents a balance between keeping a very loose structure around OWASP Projects, and ensuring that OWASP consumers are not confused about a project’s maturity and quality. Our lifecycle stages allow consumers to easily identify mature projects, and projects that are proofs of concept, experimental, and classiﬁed as prototypes in their current state. The greater the maturity of the project, the greater the level of responsibility for the Project Leader. These responsibilities are not trivial as OWASP provides incentives and beneﬁts for projects who take on these added responsibilities. Each of these stages is described in greater detail in the sections that follow. The OWASP Project Lifecycle is broken down into the following stages:

OWASP Incubator Project Stage

OWASP Lab Project Stage

OWASP Flagship Project Stage

Incubator Projects
OWASP Incubator Projects represent the experimental playground where projects are still being designed, ideas are still being proven, and development is still underway. The “OWASP Incubator” label allows OWASP consumers to readily identify a project’s maturity. The label gives Project Leaders the opportunity to leverage the OWASP brand name and resources while their project is still maturing. OWASP Incubator projects are given a place on the OWASP Projects Portal to leverage the organization's infrastructure, and establish their presence and project history.

Incubator Project Deliverables
Leaders of Incubator Projects are expected to produce a draft or development release as a downloadable ﬁle on the project page within twelve (12) months of project inception. As previously mentioned, OWASP believes in pursuing ideas in a fail-fast manner. In order to avoid an excess of stagnant projects that never mature, projects will not be permitted to linger in an undeveloped state beyond this time period. If a project has not produced at least a draft or development release, the project will be removed from the OWASP Projects Portal. If a Project Leader subsequently produces a completed release and wishes to re-associate with OWASP Projects, then that project can be returned to the OWASP Projects Portal as an Incubator Project. Once a Project Leader has completed at least one version of a concrete deliverable, the project is eligible for graduation into the OWASP Lab stage. Note that graduation to the OWASP Lab stage is optional, and a Project Leader that has completed at least one concrete deliverable may continue in the OWASP Incubator stage.

Lab Projects
OWASP Lab Projects represent projects that have produced a deliverable of signiﬁcant value. Leaders of OWASP Lab projects are expected to stand behind the quality of their project as these projects should have matured to the point where they are accepted by a signiﬁcant portion of the OWASP community. While these projects are typically not production ready, the OWASP community expects that an OWASP Lab Project Leader is producing deliverables that are ready for mainstream usage. OWASP Lab Projects are meant to be a collection of established projects that have gained community support and acclaim by undergoing the project review process. These reviews are part of the Incubator Graduation Process that is required to enter the OWASP Lab stage. To enter OWASP Lab, projects must be actively maintained, they must meet the OWASP Lab project standards, and they must seek to provide value to OWASP consumers. While projects that graduate to the OWASP Lab stage can remain there indeﬁnitely, project activity is a prominently featured piece of metadata on the Projects Portal. As a result, Projects without six months of project activity will be automatically tagged as inactive. Project Leaders are encouraged to maintain the level of excellence attributed to an OWASP Lab Project.

Flagship Projects
! The primary goal of the OWASP Flagship Project stage is to identify, highlight, and support mainstream OWASP Projects that make up a complete software security solution. Selection of Flagship Projects is driven by the OWASP Community, and eligible projects are selected from the OWASP Lab Project pool by the Technical Project Advisory Group. This selection process generally ensures that there is only one project of each type covering any particular security space. These projects are selected for their superior maturity, established quality, and strategic value to OWASP and software security as a whole. OWASP Flagship Projects represent projects that are not only mature, but are also projects that OWASP as an organization provides direct support to maintaining. The core mission of OWASP is to make application security visible and so as an organization, OWASP has a vested interest in the success of its Flagship Projects. Since Flagship Projects have such high visibility, these projects are expected to uphold the most stringent requirements of all OWASP Projects.

Selection for OWASP Flagship designation is by invitation only. A Lab Project Leader can present their case for why they think their project deserves Flagship status. However, there is no deterministic process to be designated a Flagship Project. There are no steps to be followed that guarantee Flagship status. This status is reserved for the strategic use of OWASP to identify a platform that supports the OWASP mission to improve the state of software security.