Introducing new "Production" project maturity level


Björn Kimminich

Monday, October 3, 2022

In order to distinguish projects more clearly over their lifecycle, OWASP has introduced a new Production maturity level. It offers a natural and final step for all projects of sufficient maturity and activity after Lab status, and allows to treat Flagship finally as the strategic bonus level it was always meant to be. Along with the new level, a clear guidance on progression requirements and the promotion process have been documented by the Project Committee.

OWASP Project Maturity Levels

All new OWASP projects start at the Incubator level, on which they are considered experimental, proof-of-concept, work-in-progress, or sometimes just an idea. Once proven themselves with a stable release, introduction of good open source development & maintenance practices and being received positively by the community, projects would request promotion to Lab level. Up until now, this was the end of the line for many projects, as the Flagship level has been scarecely awared to projects of strategic value to the OWASP mission. Ending up on a level called Lab felt somewhat unnatural for very mature and active projects. Entering: Production level.

Production is now the final step in the possible maturity progression for OWASP projects. It comes with tougher requirements, but allows to clearly distinguish OWASP’s top-of-the-line projects. This new level finally allows to clearly disconnect Flagship from the maturity scale, and consider such projects simply as Production level maturity with a bonus award for strategic importance.

Progression Requirements and Process

The requirements for maturity promotions were a bit fuzzy up until now. The Project Committee has changed this by providing a clear overview of necessary prerequisites for each level. The promotion request & review process itself is now also very straightforward.

For Incubator to Lab and further to Production, a Google form is available to request the promotion. The request is reviewed by at least one Project Committee member and one volunteer project leader or second Project Committee member. The final decision about the promotion is with the Project Committee. In case of declined promotion requests, the committee will provide a list of findings and shortcomings to the requesting Project Leader, so that they can address them and reapply for promotion later.

Strategic promotions to Flagship level can be proposed to the Project Committee directly via email. Such proposals will be evaluated by the Project Committee and a recommendation brought to the OWASP Global Board. The final decision is with the Board.

OWASP Project Good Practices

A significant aspect of the promotion checklist is how well a project considers the recently published OWASP Project Good Practices. These currently include advice on vendor neutrality, community support, website upkeep, and usage of GitHub. This Good Practices checklist is supposed to be extended over time and as frequently as needed. The goal is to provide practical guidance and relevant practices for projects, rather than a high-level ruleset. Leaders should still assume, that an abstracted form of these practices will one day make their way into the Project Policy.

The Project Committee would love to hear your feedback and ideas for the maturity levels and good practices. Please reach out to us via email or the #project-committee Slack channel!