Has the OTRS application kept the OWASP guidelines in place during its development. If so, is there a sharable report or document available and how can it be sourced?
If the OWASP guidelines were not considered, is there a process or tool that will help report whether OTRS does comply or is within the specified guidelines?
Has the OTRS application used a SDLC (Software Development Life cycle process). If so, which SDLC model has been used?