repositories
/
ssproject1617.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
f7dac40
)
Organization: textual changes
author
Daan Sprenkels
<dsprenkels@gmail.com>
Mon, 21 Nov 2016 09:24:45 +0000
(10:24 +0100)
committer
Daan Sprenkels
<dsprenkels@gmail.com>
Mon, 21 Nov 2016 09:24:45 +0000
(10:24 +0100)
report/organization.tex
patch
|
blob
|
history
diff --git
a/report/organization.tex
b/report/organization.tex
index
222cfc0
..
13aca57
100644
(file)
--- a/
report/organization.tex
+++ b/
report/organization.tex
@@
-15,7
+15,9
@@
CMS. This was easy, because one of us had made a \code{Dockerfile} for the
others to use. This made running and installing the application trivially
easy. Running the application made us understand the outline and components of
the application. We could also find some spots were easy to find vulnerabilities
others to use. This made running and installing the application trivially
easy. Running the application made us understand the outline and components of
the application. We could also find some spots were easy to find vulnerabilities
-could be expected. However, looking at the source code was more effective.
+could be expected. However, looking at the source code was more effective,
+especially when verifying that the CMS \emph{passes} a requirement. Buggy code
+is easy to find, bugless code is not.
We have chosen to split the work by category of security requirements in
the OWASP Application Security Verification Standard. We set the goal to perform
We have chosen to split the work by category of security requirements in
the OWASP Application Security Verification Standard. We set the goal to perform
@@
-36,7
+38,7
@@
that big. Furthermore, finding vulnerabilities is a lot easier that verifying th
the CMS turned out to not satisfy the ASVS in most cases.
% Use of Fortify
the CMS turned out to not satisfy the ASVS in most cases.
% Use of Fortify
-Because we were
early on track
, most of the audit was already done by when we
+Because we were
on track early
, most of the audit was already done by when we
were introduced to the Fortify tool. Nonetheless, we used it to verify our own
verdicts. Some of us have installed and used the Fortify tool itself. These
students have exported a PDF report, which the others could then use.
were introduced to the Fortify tool. Nonetheless, we used it to verify our own
verdicts. Some of us have installed and used the Fortify tool itself. These
students have exported a PDF report, which the others could then use.