the application. We could also find some spots where easy to find vulnerabilities
could be expected. However, looking at the source code was more effective,
especially when verifying that the \CMS{} \emph{passes} a requirement. Buggy code
-is easy to find. Bugless code is not.
+is easy to find. Bug-free code is not.
We have chosen to split the work by category of security requirements in
the OWASP Application Security Verification Standard. We set the goal to perform