From: Mart Lubbers Date: Mon, 10 Oct 2016 17:45:17 +0000 (+0200) Subject: Add true skeleton X-Git-Url: https://git.martlubbers.net/?a=commitdiff_plain;h=5675de2255bdfceb293ed7418a0478bc0af7cd75;p=ssproject1617.git Add true skeleton --- diff --git a/report/.gitignore b/report/.gitignore index b4b1e45..30d00fd 100644 --- a/report/.gitignore +++ b/report/.gitignore @@ -4,6 +4,7 @@ *.toc *.bbl *.blg +*.out *.mlog *.run.xml *.pdf diff --git a/report/Makefile b/report/Makefile index 20d0aa5..a4ec3a0 100644 --- a/report/Makefile +++ b/report/Makefile @@ -24,5 +24,5 @@ all: $(DOC).pdf convert -density 300 $< -resize x1000 $@ clean: - $(RM) $(addprefix $(DOC).,aux log fmt toc bbl blg mlog run.xml pdf)\ + $(RM) $(addprefix $(DOC).,aux log fmt toc bbl blg mlog run.xml pdf out)\ $(DOC)-blx.bib logo.png diff --git a/report/organization.tex b/report/organization.tex new file mode 100644 index 0000000..e69de29 diff --git a/report/preamble.tex b/report/preamble.tex index 6882a00..8bc003b 100644 --- a/report/preamble.tex +++ b/report/preamble.tex @@ -3,11 +3,15 @@ \usepackage{rutitlepage} \usepackage{geometry} \usepackage{hyperref} +\usepackage{enumitem} +\usepackage[dvipsnames]{xcolor} -\hypersetup{% - hidelinks, - pdftitle={OWASP ASVS Souce Code Review Project} -} +\hypersetup{hidelinks, pdftitle={OWASP ASVS Souce Code Review Project}} + +% Als een criterium niet applicable is (we doen alleen 1 en 2) +\newcommand{\notapplicable}[1]{{\color{Gray} #1}} + +\renewcommand\thesubsection{V\arabic{subsection}} \author{% Kelley van Evert\\ diff --git a/report/reflection.tex b/report/reflection.tex new file mode 100644 index 0000000..e69de29 diff --git a/report/report.tex b/report/report.tex index 0197f3c..d44b94c 100644 --- a/report/report.tex +++ b/report/report.tex @@ -2,11 +2,35 @@ \begin{document} \maketitleru[course={Software Security}] \section{Organization} -\subsection{V2. Input Validation} -\input{v5_input.tex} +\input{organization.tex} \section{Verdict} +\addtocounter{subsection}{1} +\subsection{Authentication} + +\subsection{Session Management} + +\subsection{Access Control} + +\subsection{Input Validation} +\input{v5_input.tex} + +\subsection{Output Encoding/Escaping} + +\subsection{Cryptography at rest} + +\subsection{Error Handling \& logging} + +\subsection{Data Protection} + +\addtocounter{subsection}{1} +\subsection{HTTP Security} + +\addtocounter{subsection}{4} +\subsection{Files and Recourses} + \section{Reflection} +\input{reflection.tex} \end{document} diff --git a/report/v5_input.tex b/report/v5_input.tex index 161829c..618c2bf 100644 --- a/report/v5_input.tex +++ b/report/v5_input.tex @@ -1 +1,30 @@ -Hoi +\begin{enumerate}[label=5.\arabic*] + \item Verify that the runtime environment is not susceptible to buffer + overflows, or that security controls prevent buffer overflows. + + % They skip 5.2 + \addtocounter{enumi}{1} + \item Verify that server side input validation failures result in + request rejection and are logged. + + % They skip 5.4 + \addtocounter{enumi}{1} + \item Verify that input validation routines are enforced on the server + side. + + \item\notapplicable{Verify that a single input validation control is used + by the application for each type of data that is accepted.} + + % They skip 5.7-5.9 + \addtocounter{enumi}{3} + \item Verify that all SQL queries, HQL, OSQL, NOSQL and stored + procedures, calling of stored procedures are protected by the + use of prepared statements or query parameterization, and + thus not susceptible to SQL injection. + + \item Verify that the application is not susceptible to LDAP + Injection, or that security controls prevent LDAP Injection. + + \item Verify that the application is not susceptible to OS Command + Injection, or that security controls prevent OS Command Injection. +\end{enumerate}