From: Daan Sprenkels Date: Mon, 21 Nov 2016 09:24:45 +0000 (+0100) Subject: Organization: textual changes X-Git-Url: https://git.martlubbers.net/?a=commitdiff_plain;h=6deaa9e1c89bc394b0a0bf8838f3a78db2292624;p=ssproject1617.git Organization: textual changes --- diff --git a/report/organization.tex b/report/organization.tex index 222cfc0..13aca57 100644 --- a/report/organization.tex +++ b/report/organization.tex @@ -15,7 +15,9 @@ CMS. This was easy, because one of us had made a \code{Dockerfile} for the others to use. This made running and installing the application trivially easy. Running the application made us understand the outline and components of the application. We could also find some spots were easy to find vulnerabilities -could be expected. However, looking at the source code was more effective. +could be expected. However, looking at the source code was more effective, +especially when verifying that the CMS \emph{passes} a requirement. Buggy code +is easy to find, bugless code is not. We have chosen to split the work by category of security requirements in the OWASP Application Security Verification Standard. We set the goal to perform @@ -36,7 +38,7 @@ that big. Furthermore, finding vulnerabilities is a lot easier that verifying th the CMS turned out to not satisfy the ASVS in most cases. % Use of Fortify -Because we were early on track, most of the audit was already done by when we +Because we were on track early, most of the audit was already done by when we were introduced to the Fortify tool. Nonetheless, we used it to verify our own verdicts. Some of us have installed and used the Fortify tool itself. These students have exported a PDF report, which the others could then use.