the tool as an initial guide trough the code. This forced us to manually check\r
the application source which took quite some time. After the tool became available we\r
didn't get any new insights regarding potential security risks, just more examples\r
-of problems we already detected.\r
+of problems we already detected. An example would be the use of the \emph{crypt()} \PHP\r
+function which uses the outdated \emph{DES} algorithm in order to encrypt data. The\r
+use of this function would pose a security risk and results in a failed check. Since\r
+we where only interested in providing a verdict for each check a single occurrence of\r
+this function allowed us to back-up our verdict. Fortify provides a full list of all\r
+occurrences which could be used to fix the application, our verdict on the other hand\r
+doesn't provide the developer with any information on how to fix the problem. We just\r
+state that there is a problem.\r
\r
% How could they be improved? (niet echt een antwoord maar we hebben de tool ook niet echt gebruikt?)\r
In our opinion the tool could have proved very useful in pointing out certain security\r
out actual security flaws.\r
\r
% How did you experience the rates and amounts of false and true positives?\r
-TODO: feedback per groepslid, ik heb geen idee hoe iedereen dit ervaren heeft.\r
+As far we where able to verify the tool didn't produce any false positives.\r
+However Fortify was not able to detect all problems we found.\r
+Fortify concluded the application passed all checks in the \r
+Error reporting and Logging (V8) section, however we detected a number of severe\r
+problems in this area.\r
\r
% How might that be improved?\r
+Since some problems occur multiple times it might be nice if Fortify was able to\r
+generate a clear overview of which components of the application contain detected\r
+problems. This could be very useful in combination with the information about\r
+components/functions which do pass the given security check. This would allow\r
+developers to determine if they suffer from chronically malformed code \r
+(eg. all relevant code fails the check, indicating a very serious problem throughout the entire code-base) \r
+or a single error (eg. most relevant code passes the check except for a few isolated cases).\r
+In the tested code-base there is a clean distinction between an installer component and the\r
+actual web application. If the installer suffers from problems not present in\r
+the web application and Fortify would be able to point out the specific check is\r
+relevant to both components the company would know which team/developer needs some major\r
+reeducation and who would be the best person to teach them.\r
\begin{result}
Log information is very minimal and doesn't include the date and time unless it's part of the exception message.
- Only information available regarding the moment an error occoured is the date used as the log filename.
+ Only information available regarding the moment an error occurred is the date used as the log filename.
\end{result}
\item\pass{} Verify that all
\begin{result}
Failed login attempts, password reset, login/logout\ldots are not logged at all.
- It's not possible to retreive the IP address from which a password reset has been issued.
+ It's not possible to retrieve the IP address from which a password reset has been issued.
Only potential requests are logged even before it's verified such an action exists.
\end{result}
repositories / ssproject1617.git / commitdiff