Which of the following is an open framework used to guide an organization in making software security decisions that are in alignment with the organization’s risk profile? (Select the best answer.)
The Software Assurance Maturity Model (SAMM) is an open framework used to guide an organization in making software security decisions that are in alignment with the organization’s risk profile. The SAMM is published by the Open Web Application Security Project (OWASP), which is a multinational, notforprofit organization that provides frameworks, documentation, tools, and community forums with a focus on application security. Like all OWASP documentation, the SAMM is licensed under the Creative Commons AttributionShare Alike 3.0 License, which is a common Free/Libre and Open Source Software (FLOSS) license that allows redistribution and modification of the original content with the appropriate attribution and the requirement to distribute the derivative work under the same license as the original.
The Offensive Web Testing Framework (OWTF), Zed Attack Proxy (ZAP), and Web Testing Environment (WTE) are not open frameworks used to guide an organization in making software security decisions that are in alignment with the organization’s risk profile. OWTF is a penetration testing tool designed to automate some of the lower level and tedious parts of the penetration testing process. Its aim is to provide the penetration tester with more time to analyze and investigate complex vulnerabilities. ZAP is an integrated penetration testing tool for web applications. It provides automated scanning tools and a suite of tools that can be used to manually probe for vulnerabilities. WTE is a consolidated testing environment that can be distributed as a virtual machine, a bootable image, or as individual Linux packages. WTE aims to provide a sandbox in which testers, developers, and trainers can interact with security tools provided by OWASP and other FLOSS developers. WTE is based on the OWASP Live CD Project.