--- /dev/null
+\r
+% How useful were code analysis tools?\r
+The usefulness of the Fortify Static Code Analysis tool turned out to be very limited.\r
+Since we had most verdicts ready before a license was provided we couldn't use\r
+the tool as an initial guide trough the code. This forced us to manually check\r
+the application source which took quite some time. After the tool became available we\r
+didn't get any new insights regarding potential security risks, just more examples\r
+of problems we already detected.\r
+\r
+% How could they be improved? (niet echt een antwoord maar we hebben de tool ook niet echt gebruikt?)\r
+In our opinion the tool could have proved very useful in pointing out certain security\r
+flaws in the initial stage of this project since we spent a lot of time scanning the\r
+application code-base. Since Fortify located relatively low-level problems we could\r
+have used these to locate potential hot-spots. \r
+Saving us from going trough every source file and trying to determine if they are part of the\r
+applications external access points. In order to improve upon the tool we suggest a larger\r
+focus on determining which parts of a application need to be secure and less on pointing\r
+out actual security flaws.\r
+\r
+% How did you experience the rates and amounts of false and true positives?\r
+TODO: feedback per groepslid, ik heb geen idee hoe iedereen dit ervaren heeft.\r
+\r
+% How might that be improved?\r
repositories / ssproject1617.git / commitdiff