% Daan: If you would have to do something like this again? (...)
We have noticed that, when doing an audit in a team, it is not feasible for
-everybody to have read all source code. Henceforth, trying this is just a bad
+everybody to have read all source code. Trying this is just a bad
idea. We are happy to have divided the project by ASVS category, instead of
program component. For each requirement the the ASVS, the
team had to verify that there were no mistakes in the code. This would have
taken a lot of time if we had to verify each component for each requirement.
Furthermore, the ASVS is an easy guide for dividing the work\footnote{The
-categories in the ASVS are all of similar size. We settled on giving each team
+categories in the ASVS are all more or less of similar size. We settled on giving each team
member two categories to check.}. Dividing by component would have been a lot
harder to do fairly, especially because when beginning the project we had
little knowledge of the internals (and component sizes) of the CMS.
repositories / ssproject1617.git / blobdiff