% - Daan: If you would have to do something like this again, what would you do differently? Eg. about organising things within the group: i.e., in retrospect, what do you think the best approach is to organise and divide the work in a team? (Dividing the verification requirements over the team members? Or by dividing the code? Or letting everyone look at everything, because different people will spot different things? Or work in pairs where one person confirms the findings of the other? ...)
% - Kelley: About the TestCMS code: are there important aspects that could (or should) be changed to improve security? Or aspects that could be changed to facilitate doing a security review?
% - Wouter: This last question might be generalised, to (web) applications in general, rather than this specific example of the TestCMS: ie. if you were to develop an application that will need to be subjected to a security review, would you do anything differently, given your experience in doing this, and if so, what and why?
+
+
+
+\subsection{On our auditing process}
+\input{reflection.auditing_process.tex}
+
+\subsection{On the bottlenecks}
+\input{reflection.bottlenecks.tex}
+
+\subsection{On the ASVS checklist}
+\input{reflection.asvs.tex}
+
+\subsection{On HP Fortify / automated code analysis tools}
+\input{reflection.tools.tex}
+
+\subsection{?}
+(TODO: Mart)
+
+\subsection{On the code \& streamlining subsequent security audits}
+\input{reflection.code_and_auditing.tex}
repositories / ssproject1617.git / blobdiff