Get started
OWASP Projects
Projects are one of the primary methods through which OWASP seeks to achieve “no more insecure software”. OWASP projects provide a community-based platform that allows project leaders the opportunity to freely test ideas and theories in an open environment. Leaders are able to leverage the OWASP brand, the community, and a dedicated staff to guide maturity. The goal of an OWASP project is to create a concrete deliverable - such as a document, a tool, or a code library - that furthers the OWASP mission.
As with all OWASP groups, OWASP projects are driven by volunteers and are open to everyone. This means that anyone has the opportunity to lead a project, contribute to a project, or use a project. This handbook is meant to be the primary reference for OWASP project leaders, and it should serve as a useful starting point for anyone that wishes to start their own project within the OWASP organization.
OWASP projects are divided into the following major categories:
Types of Projects
- Documentation: These projects seek to communicate information or raise awareness about a topic in application security. Note that documentation projects should focus on an online-first deliverable, where appropriate, but can take any media form (e.g. pring, CBT, videos, games, etc.).
- Code: These projects provide tools, libraries, and frameworks that can be leveraged by developers to enhance the security of their applications.
- Other: Some projects fall outside the above categories. Most are created to offer OWASP operational support.
Creating a Project
Prior to creating a project, potential leaders should familiarize themselves with the current project policy. The project policy details the operational requirements and expectations for OWASP projects. To start a new project or re-open an archived project, please see the New Project Request. Considering that projects require review and investigation and, occasionally, discussion in committee, new project requests can take some time to resolve.
The New Project Request
In order to prepare for submitting the New Project Request, potential project leaders should consider the following.
Project Name
The project name should be considered carefully. This name will be how most people find the project and how they associate the project with what it does. A good name is descriptive and indicates what the project is about. Although acronyms are commonly used to refer to established projects, a good name tries to avoid this initially.
Project Leaders
Gather the names, email addresses, and Github usernames of the project leaders. These will be needed when starting a project so that leaders can be contacted and so that they may have access to the project repository which will be created for them. Project leaders should strive to use their OWASP email addresses, where available, whenever communicating anything about the project.
Project Information
Have a good idea of what your project is meant to address, including a short summary, a longer description, and a roadmap of what you want to accomplish in the near future. Having this information ready when a new project request is submitted demonstrates that a certain amount of thought has gone into the decision to create the project.
Project License
A project should choose an OSI approved license or, in the case of documentation projects, the Creative Commons BY-SA license is recommended.
Good Practices
Finally, you should make sure you review and understand the Project Committee’s recommendations for Project Good Practices. These include reviewing current projects to determine if your project overlaps with existing projects, guidelines on vendor neutrality, and other topics.
Leader Agreement
By submitting the new project request and clicking the box that you have read the project handbook, you and the Foundation hereby accept and agree to the following terms and conditions:
- The donation or creation of your project means that you agree to hand over all past, present and future contributions of source code and documentation to the Foundation, however submitted to the Foundation, excluding any submissions that are conspicuously marked or otherwise designated in writing by You.
- You hereby grant to the Foundation a non-exclusive, irrevocable, worldwide, no-charge, transferable copyright license to use, execute, prepare derivative works of, and distribute (internally and externally, in object code and, if included in your Contributions, source code form) your Contributions. Except for the rights granted to the Foundation in this paragraph, You reserve all right, title and interest in and to your Contributions. OWASP will always release a free and open version of anything we distribute that includes your Contributions.
- You may continue to be involved in the donated project, but you may not withdraw your project from the OWASP Foundation once the project donation process has been completed.
- You represent that you are legally entitled to grant the above license. If your employer(s) have rights to intellectual property that you create, you represent that you have received permission to make the Contributions on behalf of that employer, or that your employer has waived such rights for your Contributions to the Foundation.
- You represent that, except as disclosed in your Project Donation submission(s), each of your Contributions is your original creation. You represent that your Contribution submission(s) include complete details of any license or other restriction (including, but not limited to, related patents and trademarks) associated with any part of your Contribution(s) (including a copy of any applicable license agreement). You agree to notify the Foundation of any facts or circumstances of which you become aware that would make Your representations in this Agreement inaccurate in any respect.
- You are not expected to provide support for your Contributions, except to the extent you desire to provide support. You may provide support for free, for a fee, or not at all. Your Contributions are provided as-is, with all faults, defects, and errors, and without warranty of any kind (either express or implied) including, without limitation, any implied warranty of merchantability and fitness for a particular purpose and any warranty of non-infringement.