+% Running the application
+Each of us has initially set up the CMS and made ourselves familiar with the
+CMS. This was easy, because one of us had made a \code{Dockerfile} for the
+others to use. This made running and installing the application trivially
+easy. Running the application made us understand the outline and components of
+the application. We could also find some spots were easy to find vulnerabilities
+could be expected. However, looking at the source code was more effective,
+especially when verifying that the CMS \emph{passes} a requirement. Buggy code
+is easy to find, bugless code is not.
+
+We have chosen to split the work by category of security requirements in
+the OWASP Application Security Verification Standard. We set the goal to perform
+a sound level 2 audit on the software.
+
+% Initial approach
+We were quickly set up and started to do each own parts of the audit by hand.
+For each OWASP ASVS item specific to certain mechanisms (like login and input
+validation), we would take the source code of the CMS and follow the control
+flow to see if the application satisfies the security requirement. For more
+general requirements, we could just look at the code that is responsible for
+this requirement (like the \code{Response} class in the case of HTTP security).
+When we had found that a requirement was not satisfied, we elaborate shortly
+and move on.
+
+This went well, because with five people the individual workload is just not
+that big. Furthermore, finding vulnerabilities is a lot easier that verifying the security in a lot of cases. This speeds up the auditing process, because
+the CMS turned out to not satisfy the ASVS in most cases.
+
+% Use of Fortify
+Because we were on track early, most of the audit was already done by when we
+were introduced to the Fortify tool. Nonetheless, we used it to verify our own
+verdicts. Some of us have installed and used the Fortify tool itself. These
+students have exported a PDF report, which the others could then use.
+
+% Double-checking process
+When we finished the report, each of us has reread each others' parts to check
+if things had been missed or reported incorrect. This may not have thorough, but
+because in the end five pairs of eyes have read all verdicts, we trust that, in
+the end, all verdicts are sufficiently checked.