This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Assessment Criteria v2.0

Jump to: navigation, search

This page is maintained by the Global Projects Committee to help assist Project Leaders with information about successfully running an OWASP Project. It will be updated from time to time, and changes will be discussed and announced on the OWASP-Leaders list.


OWASP created the project assessment criteria to define the quality levels for OWASP Projects with the purpose of evaluating all OWASP projects. The overall goal was to ensure that consistent quality levels are maintained by OWASP projects. This benefits both the external audience and those working on projects. The criteria allows the external audience to determine the quality of any OWASP project they are considering. For project members, it provides a method to measure the quality of their project in relation to other OWASP projects. Additionally, the criteria allows for excellent contributions to be recognized and projects which need further work to be identified.

Currently, OWASP projects fall into three primary categories:

  • Tools
  • Documents
  • Activities and Research

The Tools and Documents categories are easily understood. The Activities and Research category is less obvious and is used for projects which either have multiple sub-projects or have project releases which fall into both the tools and documents category. Thus, Activities and Research can be used for parent projects that cover multiple smaller sub-projects. Some examples will make this clearer:

    • Java
    • .Net
    • PHP
    • ...
  • OWASP Guides
    • Testing Guide
    • Development Guide
    • Code Review Guide
    • ASDR (Application Security Desk Reference)
  • OWASP OpenPGP Extensions for HTTP - Enigform and mod_openpgp

All existing projects and their current ratings are here. Any new OWASP project and its releases will be assessed based on the criteria below as well as any new Season of Code project. The goal is to eventually have all OWASP projects and releases, past and future, assessed under a version of this criteria. The initial set of assessment criteria was created for the OWASP Summer of Code 2008 and was designated version 1.0. The current version below was derived from version 1.0 and is version 2.0. Labelling any new criteria with a version number allows for graceful transitions to occur should any criteria change.

Assessing a project

Any OWASP project will consist of two critical pieces:

  • the project's health
  • one or more project releases

Each of these pieces will be have different methods with which they are reviewed.

People and Projects

Depending on the size and scope of a project, the roles below may be done by separate parties or a single individual may take on multiple roles. Roles vary in their level on involvement with the project, the areas of involvement, their lifespan with a project, etc.

  • Project Leader
  • Project Maintainer
  • Project Contributor
  • Project Reviewer
  • Project Mentor

Each role will be described in the next revision of this document --Mtesauro 16:09, 4 May 2009 (UTC)