We have noticed that, when doing an audit in a team, it is not feasible for
everybody to have read all source code. Trying this is just a bad
idea. We are happy to have divided the project by ASVS category, instead of
-program component. For each requirement the the ASVS, the
+program component. For each requirement the ASVS, the
team had to verify that there were no mistakes in the code. This would have
taken a lot of time if we had to verify each component for each requirement.
Furthermore, the ASVS is an easy guide for dividing the work\footnote{The
categories in the ASVS are all more or less of similar size. We settled on giving each team
member two categories to check.}. Dividing by component would have been a lot
harder to do fairly, especially because when beginning the project we had
-little knowledge of the internals (and component sizes) of the CMS.
+little knowledge of the internals (and component sizes) of the \CMS{}.
-We haven't experimented with working in pairs. This might be a good idea to
+We have not experimented with working in pairs. This might be a good idea to
experiment with. We are confident however that, because we have all checked
each other's finished work (and the final product), we did not miss any
problems.
repositories / ssproject1617.git / blobdiff