This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Projects/Project Leader Cheat Sheet

Jump to: navigation, search

OWASP Projects


What is an OWASP Project?

An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. OWASP currently has over 141 active projects, and new project applications are submitted every week.

This is one of the most popular divisions of OWASP as it gives members an opportunity to freely test theories and ideas with the professional advice and support of the OWASP community. Every project has an associated mail list. You can view all the lists, examine their archives, and subscribe to any project by visiting the OWASP Project Mailing Lists page. For more information on OWASP Projects, please Download the OWASP Projects Handbook 2013.

Why should I start a project with OWASP?

As all project leaders are volunteers, OWASP recognizes the need for incentives for both the project leader and the project itself. There are standard resources made available to project leaders based on their project’s current maturity level. Aside from leveraging the OWASP brand, we can offer a number of benefits to an OWASP project leader for starting a project. These include: Financial Donation Management, Technical Writing Support, Graphic Design Support, Professional Project Review Support, WASPY Awards Nominations, OWASP Projects Track Participation, Opportunity to get $500 for Project Development, and Community Engagement and Support. These benefits increase as the project moves through each project stage within the OWASP Global Projects Infrastructure.

What will be my responsibilities as a Project Leader (PL)?

OWASP Project Leaders (PLs) are directly responsible for promoting, protecting, and managing their projects brand as well as the overall OWASP brand. Project Leader's are also directly responsible for managing all aspects of their OWASP Project. Please visit the OWASP Project Leader's Responsibilities page for a quick overview of Leader responsibilities both to his/her project, and to the OWASP Foundation as a whole.

How do I start an OWASP Project?

Starting an OWASP Project is easy. You don't have to be an application security expert. You just have to have the drive and desire to make a contribution to the application security community. The best OWASP projects are strategic as they make it easier to produce secure applications by filling a gap in the application security knowledge-base or technology support. You can run a single person project, but it's usually best to get the community involved. You should be prepared to support a mailing list, build a team, speak at conferences, and promote your project. To apply for an OWASP Project, please fill in the Project Application Form. The OWASP PM will reach out to you within seven days of making your application. Please be prepare to answer questions from the overall OWASP community before your project is accepted.

What are acceptable license choices for an OWASP Project?

Why are you recommending these licenses?
Which other open source licenses are eligible for an OWASP project?

Choosing a license under which an artifact is distributed and enforcing the license are prerogatives of the copyright holders over that artifact. By default, each contributor is copyright holder over the contributed piece. Contributors must all agree on the license and cooperate in enforcing it or must assign their copyright to the entity which becomes responsible for choosing and enforcing the license.

OWASP is a collaborative initiative for the public good and most of its output is expected to be functional, rather than aesthetic. The problem OWASP tackles is so large that OWASP acknowledges a need to collaborate with the commercial world. Therefore, in order to become an OWASP Sponsored Project, you should be comfortable with:

  • Allowing arbitrary uses for your work, for example for commercial purposes. (If you disagree, consider using CC-BY-NC.)
  • Revealing to the world your project's source code (its form preferred for modification).
  • Allowing your work, under certain conditions (see below), to be modified by others and redistributed. (If you disagree, consider using CC-BY-ND.)
How to choose a license for artifcts of your OWASP project
Artifact Under what conditions can your work be modified and redistributed?
As long as modifications are licensed in the same spirit If credit is appropriately given to you Under any circumstances
Standalone Tool Run locally
GPL (newest version as of 2016 is 3.0)

The "General Public License" protects users' four essential freedoms, among other things by requiring someone who distributes software derived from yours to also publish the source code for the modifications. Anyone can charge money for distributing copies of the software, but cannot prevent its recipients from redistributing it for free. The GPL allows the copyright holders to distribute the software under additional licenses, too, which can be a way to make it proprietary-friendly.
Apache License (newest version as of 2016 is 2.0)

Has the fewest restrictions, even allowing proprietary modifications and proprietary forks of your project, and is more up-to-date than the BSD license.
CC0 (newest version as of 2016 is 1.0)

The "Public Domain Dedication" means that anybody can copy, modify, distribute and perform the work, even for commercial purposes, all without asking permission.
Consumed over the network
AGPL (newest version as of 2016 is 3.0)

The "Affero General Public License" extends the GPL to SaaS: users of the modified software must be able to obtain the source code of the modifications.
GPL or LGPL (newest version as of 2016 is 3.0)

The "Lesser General Public License" relaxes the GPL for libraries: if the library is not modified, just integrated (function calls, global variables,...), with other software, it does not require the source code of the other software to be published. The Free Software Foundation recommends the LGPL only for libraries which have established competitors for the same functionality, otherwise they recommend the full GPL.
Document (includes E-Learning, presentations, books etc.)
CC-BY-SA (newest version as of 2016 is 4.0)

The "Creative Commons Attribution-ShareAlike" is like the GPL, but for documents.
CC-BY (newest version as of 2016 is 4.0)

The "Creative Commons Attribution" is like the Apache License, but for documents.

OWASP Global Projects Infrastructure

How do I navigate through the OWASP Global Projects Infrastructure (OGPI)

This is where we would put the info-graphic. To be developed by our designer.

What are the different project stages?

The OWASP Project Lifecycle is broken down into the following stages:

Incubator Projects: OWASP Incubator projects represent the experimental playground where projects are still being designed, ideas are still being proven, and development is still underway. The “OWASP Incubator” label allows OWASP consumers to readily identify a project’s maturity; moreover, the label allows project leaders to leverage the OWASP name while their project is still maturing. OWASP Incubator projects are given a place on the OWASP Projects Portal to leverage the organizations' infrastructure, and establish their presence and project history.

Labs Projects: OWASP Labs projects represent projects that have produced a deliverable of significant value. Leaders of OWASP Labs projects are expected to stand behind the quality of their projects as these projects have matured to the point where they are accepted by a significant portion of the OWASP community. While these projects are typically not production ready, the OWASP community expects that an OWASP Labs project leader is producing releases that are ready for mainstream usage. OWASP Labs Projects are meant to be the collection of established projects that have gained community support and acclaim by undergoing the project review process.

Flagship Projects: The OWASP Flagship designation is given to projects that have demonstrated superior maturity, established quality, and strategic value to OWASP and application security as a whole. Eligible projects are selected from the OWASP Labs project pool. This selection process generally ensures that there is only one project of each type covering any particular security space. OWASP Flagship projects represent projects that are not only mature, but are also projects that OWASP as an organization provides direct support to maintaining. The core mission of OWASP is to make application security visible and so as an organization, OWASP has a vested interest in the success of its Flagship projects. Since Flagship projects have such high visibility, these projects are expected to uphold the most stringent requirements of all OWASP Projects.

How do I move from one stage to another?

In order for a project to move from one stage to another, the project must go through a Project Graduation Process. The Project Graduation Process is an optional process undertaken at the request of a project leader using the Incubator Graduation Form. The purpose of this process is to move a project from the OWASP Incubator into the OWASP Labs. In order to be considered for OWASP Labs, an Incubator project must have submitted an OWASP reviewed deliverable, and obtained at least two (2) positive responses for each of the core criteria project health questions. Similarly, an OWASP Labs project must follow the same process to graduate into the Flagship stage. For more information on, please Download the OWASP Projects Handbook 2013.

What incentives does my project get at each stage?


  • Financial Donation Management Assistance
  • Project Review Support
  • WASPY Awards Nominations
  • OWASP OSS and OPT Participation
  • Opportunity to submit proposal: $500 for Development.
  • Community Engagement and Support
  • Recognition and visibility of being associated with the OWASP Brand.


  • All benefits given to Incubator Projects
  • Technical Writing Support
  • Graphic Design Support
  • Project Promotion Support
  • OWASP OSS and OPT: Preference


  • All benefits given to Incubator & Labs Projects
  • Grant finding and proposal writing help
  • Yearly marketing plan development assistance
  • OWASP OSS and OPT participation preference

Social Media

We recommend using the links below to contact the OWASP PM via social media. These are a great way to keep in touch with the different initiatives going on at OWASP throughout the world.

Twitter-32x32.png Facebook-32x32.png Linkedin-32x32.png Google-32x32.png