%
-% (TODO write out: dsprenkels)
+% Written by dsprenkels
%
% This document describes our security analysis of the (?) CMS according to the OWASP ASVS (v3.0.1), as well as an analysis of Fortify's results compared to our findings \& the OWASP ASVS categories.
%
% E.g. did you split the work by files in the code, or by category of security requirements? Did you double-check important findings? Or did you use several pairs of eyeballs on the same code/ security requirement, in the hope that more eyeballs spot more problems? (How) did you integrate using the static code analysis tools into this process? Did you use other tools and methods?
% Have you tried to run the application? (If so, was this useful, and did you find than running the application was helpful to then review the code, understanding its functionality better? But you might want to dicuss this in the Reflection section.)
-\section{Organization}
-Each of us has initially set up the CMS and made ourselves familiar with the
-CMS. We have chosen to split the work by category of security requirements in
+% Running the application
+Each of us has initially set up the \CMS{} and made ourselves familiar with the
+\CMS{}. This was easy, because one of us had made a \code{Dockerfile} for the
+others to use. This made running and installing the application trivially
+easy. Running the application made us understand the outline and components of
+the application. We could also find some spots where easy to find vulnerabilities
+could be expected. However, looking at the source code was more effective,
+especially when verifying that the \CMS{} \emph{passes} a requirement. Buggy code
+is easy to find. Bug-free code is not.
+
+We have chosen to split the work by category of security requirements in
the OWASP Application Security Verification Standard. We set the goal to perform
a sound level 2 audit on the software.
% Initial approach
We were quickly set up and started to do each own parts of the audit by hand.
For each OWASP ASVS item specific to certain mechanisms (like login and input
-validation), we would take the source code of the CMS and follow the control
-flow to see if the application satisfies the security requirement. For more
+validation), we took the source code of the \CMS{} and followed the control
+flow to see if the application satisfied the security requirement. For more
general requirements, we could just look at the code that is responsible for
-this requirement (like the \code{Response} class in the case of HTTP security).
-When we had found that a requirement was not satisfied, we elaborate shortly
-and move on.
+this requirement (like the \code{Response} class in the case of \HTTP{} security).
+When we had found that a requirement was not satisfied, we elaborated shortly
+and moved on.
This went well, because with five people the individual workload is just not
-that big. Furthermore, finding vulnerabilities is a lot easier that verifying the security in a lot of cases. This speeds up the auditing process, because
-the CMS turned out to not satisfy the ASVS in most cases.
+that big. Furthermore, finding vulnerabilities is a lot easier than verifying
+the security in a lot of cases. This sped up the auditing process, because
+the \CMS{} turned out to not satisfy the ASVS in most cases.
+
+% Use of Fortify
+Because we were on track early, most of the audit was already done by when we
+were introduced to the Fortify tool. Nonetheless, we used it to verify our own
+verdicts. Some of us have installed and used the Fortify tool itself. These
+students exported a PDF report and described the results, which the others
+could then use.
-% TODO(dsprenkels) Use of Fortify
-% TODO(dsprenkels) Running the application
-% TODO(dsprenkels) Double-checking process (see V2.2 as example)
+% Double-checking process
+When we finished the report, each of us reread the other parts to check
+if things had been missed or reported incorrect. This may not have thorough, but
+because in the end five pairs of eyes have read all verdicts, we trust that, in
+the end, all verdicts are sufficiently checked.
repositories / ssproject1617.git / blobdiff