From: Daan Sprenkels <dsprenkels@gmail.com>
Date: Fri, 25 Nov 2016 10:04:03 +0000 (+0100)
Subject: Add TestCMS specific code reflection
X-Git-Url: https://git.martlubbers.net/?a=commitdiff_plain;h=37c1ce0fc9ce34e0629c0b4384edfbc1297f3e79;p=ssproject1617.git

Add TestCMS specific code reflection
---

diff --git a/report/reflection.testcms_code.tex b/report/reflection.testcms_code.tex
new file mode 100644
index 0000000..08416e3
--- /dev/null
+++ b/report/reflection.testcms_code.tex
@@ -0,0 +1,20 @@
+% About the TestCMS code: are there important aspects that could (or should)
+% be changed to improve security? Or aspects that could be changed to
+% facilitate doing a security review?
+
+We found that the general design of the TestCMS codebase was pretty adequate.
+Functionality was neatly grouped by in different modules in the \code{system}
+directory. The code was very readable and commented. This made the security
+audit easier to do than we had initially expected.
+
+At the same time the TestCMS did not really do this in the case of security
+critical components. Input sanitization happens all over the place (and in
+some cases it does not happen at all). Middleware based design patterns could
+make the processing of input and output a somewhat less cluttered.
+
+Another thing that striked us about the TestCMS code is that all functionality
+was written by the programmer theirself. Although it may make the application
+a bit slower, using a template engine (like Twig\footnote{\url{http://twig.sensiolabs.org/}})
+could make the application design clearer and more secure by design. While a
+template engine is not necesarry, we think that using the new \code{MySQLi} API
+and in combination with prepared statements is a good change to start with.
diff --git a/report/reflection.tex b/report/reflection.tex
index 9b3f7d1..257f9b5 100644
--- a/report/reflection.tex
+++ b/report/reflection.tex
@@ -49,5 +49,8 @@ some components, like input escaping, are just not present.
 \subsection{On the code \& streamlining subsequent security audits}
 \input{reflection.code_and_auditing.tex}
 
+\subsection{TestCMS code security}
+\input{reflection.testcms_code.tex}
+
 \subsection{On the general development of secure software}
 \input{reflection.secure_development.tex}