-the application. We could also find some spots were easy to find vulnerabilities
-could be expected. However, looking at the source code was more effective.
+the application. We could also find some spots where easy to find vulnerabilities
+could be expected. However, looking at the source code was more effective,
+especially when verifying that the \CMS{} \emph{passes} a requirement. Buggy code
+is easy to find. Bug-free code is not.