+% Running the application
+Each of us has initially set up the \CMS{} and made ourselves familiar with the
+\CMS{}. This was easy, because one of us had made a \code{Dockerfile} for the
+others to use. This made running and installing the application trivially
+easy. Running the application made us understand the outline and components of
+the application. We could also find some spots where easy to find vulnerabilities
+could be expected. However, looking at the source code was more effective,
+especially when verifying that the \CMS{} \emph{passes} a requirement. Buggy code
+is easy to find. Bug-free code is not.
+
+We have chosen to split the work by category of security requirements in
+the OWASP Application Security Verification Standard. We set the goal to perform
+a sound level 2 audit on the software.
+
+% Initial approach
+We were quickly set up and started to do each own parts of the audit by hand.
+For each OWASP ASVS item specific to certain mechanisms (like login and input
+validation), we took the source code of the \CMS{} and follow the control
+flow to see if the application satisfies the security requirement. For more
+general requirements, we could just look at the code that is responsible for
+this requirement (like the \code{Response} class in the case of \HTTP{} security).
+When we had found that a requirement was not satisfied, we elaborate shortly
+and move on.
+
+This went well, because with five people the individual workload is just not
+that big. Furthermore, finding vulnerabilities is a lot easier than verifying
+the security in a lot of cases. This sped up the auditing process, because
+the \CMS{} turned out to not satisfy the ASVS in most cases.
+
+% Use of Fortify
+Because we were on track early, most of the audit was already done by when we
+were introduced to the Fortify tool. Nonetheless, we used it to verify our own
+verdicts. Some of us have installed and used the Fortify tool itself. These
+students exported a PDF report and described the results, which the others
+could then use.
+
+% Double-checking process
+When we finished the report, each of us reread the other parts to check
+if things had been missed or reported incorrect. This may not have thorough, but
+because in the end five pairs of eyes have read all verdicts, we trust that, in
+the end, we feel all verdicts are sufficiently checked.