\CMS{}. This was easy, because one of us had made a \code{Dockerfile} for the
others to use. This made running and installing the application trivially
easy. Running the application made us understand the outline and components of
\CMS{}. This was easy, because one of us had made a \code{Dockerfile} for the
others to use. This made running and installing the application trivially
easy. Running the application made us understand the outline and components of
could be expected. However, looking at the source code was more effective,
especially when verifying that the \CMS{} \emph{passes} a requirement. Buggy code
could be expected. However, looking at the source code was more effective,
especially when verifying that the \CMS{} \emph{passes} a requirement. Buggy code
We have chosen to split the work by category of security requirements in
the OWASP Application Security Verification Standard. We set the goal to perform
We have chosen to split the work by category of security requirements in
the OWASP Application Security Verification Standard. We set the goal to perform
-that big. Furthermore, finding vulnerabilities is a lot easier that verifying
-the security in a lot of cases. This speeds up the auditing process, because
+that big. Furthermore, finding vulnerabilities is a lot easier than verifying
+the security in a lot of cases. This sped up the auditing process, because
the \CMS{} turned out to not satisfy the ASVS in most cases.
% Use of Fortify
Because we were on track early, most of the audit was already done by when we
were introduced to the Fortify tool. Nonetheless, we used it to verify our own
verdicts. Some of us have installed and used the Fortify tool itself. These
the \CMS{} turned out to not satisfy the ASVS in most cases.
% Use of Fortify
Because we were on track early, most of the audit was already done by when we
were introduced to the Fortify tool. Nonetheless, we used it to verify our own
verdicts. Some of us have installed and used the Fortify tool itself. These
if things had been missed or reported incorrect. This may not have thorough, but
because in the end five pairs of eyes have read all verdicts, we trust that, in
if things had been missed or reported incorrect. This may not have thorough, but
because in the end five pairs of eyes have read all verdicts, we trust that, in