Which of the following statements is true regarding OWASP? (Select the best answer.)
- It is exclusively a North American nonprofit organization.
- It endorses products from HP and Symantec.
- It releases security materials under FLOSS licenses.
- It requires membership to download security tools such as ZAP.
The Open Web Application Security Project (OWASP) releases security materials under Free/Libre and Open Source Software (FLOSS) licenses. OWASP is a multinational, notforprofit organization that provides frameworks, documentation, tools, and community forums with a focus on application security. For example, one of the OWASP Flagship projects is the Software Assurance Maturity Model (SAMM), which is an open framework used to guide an organization in making software security decisions that are in alignment with the organization’s risk profile. Like all OWASP documentation, the SAMM is licensed under the Creative Commons AttributionShare Alike 3.0 License, which is a common FLOSS license that allows redistribution and modification of the original content with the appropriate attribution and the requirement to distribute the derivative work under the same license as the original.
Although OWASP has many financial supporters, including Adobe, Akamai, HP, and Symantec, it does not endorse any particular company or product. According to the code of ethics published in its bylaws, OWASP must maintain and affirm its objectivity and reject inappropriate pressure from the technology industry. Therefore, OWASP strives to avoid affiliation with any technology company and to maintain its presence as an unbiased source of information about application security.
OWASP offers several different membership levels, each of which offers various benefits, such as reduced advertising costs, discounted conference sponsorship rates, and the ability to vote in OWASP elections. However, membership is not required to access or download any of the documentation or tools offered by OWASP, including Flagship projects such as the OWASP Zed Attack Proxy (ZAP). ZAP is an integrated penetration testing tool for web applications.