X-Git-Url: https://git.martlubbers.net/?a=blobdiff_plain;f=report%2Fv9_data.tex;h=5a389118a44a9e27165d0db8d08e3ad8ce914760;hb=3c8879cf6599fdcea20ac18910260e929d65bec4;hp=d43c21e871001e0a8e3b2789037839b493f3d704;hpb=db9adf4baa5dabb6cb7df7a57fc0aa22881e785e;p=ssproject1617.git diff --git a/report/v9_data.tex b/report/v9_data.tex index d43c21e..5a38911 100644 --- a/report/v9_data.tex +++ b/report/v9_data.tex @@ -4,7 +4,7 @@ features. \begin{result} - The login and page/post editing/creation forms post back to the same page, thereby incentivising the browser to cache the form inputs as well. This is as opposed to the common post/redirect/get model (see \url{http://en.wikipedia.org/wiki/Post/Redirect/Get}). Also, the \code{Cache-Control} isn't explicitly used anywhere in the \CMS{} to aid the situation. In my test setup, the response does send \code{Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0}, but that'll be a default global Apache setting, I think. + The login and page/post editing/creation forms post back to the same page, thereby incentivising the browser to cache the form inputs as well. This is as opposed to the common post/redirect/get model (see \url{http://en.wikipedia.org/wiki/Post/Redirect/Get}). Also, the \code{Cache-Control} isn't explicitly used anywhere in the \CMS{} to aid the situation. In our test setup, the response does send \code{Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0}, but that'll be a default global Apache setting, we think. \end{result} \notapplicable{\item Verify that the list of sensitive data processed by the @@ -34,7 +34,7 @@ \end{verbatim} \begin{result} - Cache control header are never set by the \CMS{}. The fact that headers as these are indeed sent to the broswer in my test setup is probably due to default global Apache settings. + Cache control header are never set by the \CMS{}. The fact that headers as these are indeed sent to the broswer in our test setup is probably due to default global Apache settings. \end{result} \item\pass{} Verify that on the server, all cached or temporary copies @@ -55,7 +55,7 @@ variables, cookies and header values. \begin{result} - The \CMS{} by no means sends any larger amount of parameters than would be expected, seen as it is but a simple app and mostly lacks extra functionality often leading to this kind of excessive parameter transferring, so I count this as a pass. + The \CMS{} by no means sends any larger amount of parameters than would be expected, seen as it is but a simple app and mostly lacks extra functionality often leading to this kind of excessive parameter transferring, so we count this as a pass. \end{result} \notapplicable{\item Verify the application has the ability to detect and alert @@ -71,7 +71,7 @@ Vacuously: data is not stored on the client side. \end{result} - \item\pass{} Verify accessing sensitive data is logged, if the data is + \item\fail{} Verify accessing sensitive data is logged, if the data is collected under relevant data protection directives or where logging of accesses is required. @@ -84,7 +84,7 @@ to mitigate memory dumping attacks. \begin{result} - I consider this outside of the scope of the \CMS{}'s security requirements, as it is written in, and thus relies on the (memory) security of, \PHP{}. + We consider this outside of the scope of the \CMS{}'s security requirements, as it is written in, and thus relies on the (memory) security of, \PHP{}. \end{result} \end{enumerate}