3 % Daan: If you would have to do something like this again? (...)
4 We have noticed that, when doing an audit in a team, it is not feasible for
5 everybody to have read all source code. Trying this is just a bad
6 idea. We are happy to have divided the project by ASVS category, instead of
7 program component. For each requirement the the ASVS, the
8 team had to verify that there were no mistakes in the code. This would have
9 taken a lot of time if we had to verify each component for each requirement.
10 Furthermore, the ASVS is an easy guide for dividing the work
\footnote{The
11 categories in the ASVS are all more or less of similar size. We settled on giving each team
12 member two categories to check.
}. Dividing by component would have been a lot
13 harder to do fairly, especially because when beginning the project we had
14 little knowledge of the internals (and component sizes) of the CMS.
16 We haven't experimented with working in pairs. This might be a good idea to
17 experiment with. We are confident however that, because we have all checked
18 each other's finished work (and the final product), we did not miss any
20 In the end, we are satisfied with the way we have done things.
repositories / ssproject1617.git / blob