SoftwareSecurity2012/Group 10/Reflection
Reflection
Group work
We've divided most of the work, working together in pairs to ensure all requirements are sufficiently covered. Group meetings were scheduled regularly, as well as individual meetings for each of the pairs. While this strategy generally worked well, we did find ourselves working on things last-minute at times, something which could've been improved. While the general idea of a code review was interesting, we did lack some interest due to our assignment being only focused on limited parts of the application and the fact that the plugin we audited was mainly static and/or clientside. (Erik:Good point. I guess these plugins are not so suitable for this project, and it's better to look for some smallish web-apps instead.) Flexibility was not much of a problem, luckily, and nevertheless we're satisfied about the result.
Code scanners
The code scanners did not yield anything useful for the parts that we had to audit - perhaps they could be for other security areas. We felt that CodeSecure could potentially have given us some good results, so it would be great if there was an academic license available next year (supporting > 10.000 LOC).
Code reviewing
The hardest part of the review was figuring out what to look for. OWASP ASVS only provides criteria to check, but does not supply any information on how this should be done. After we found what we were looking for, using some "find ./ -name "*.php" -print | xargs grep" magic the right parts of the code were quickly identified and we were able to verify whether they were correct or not. Furthermore, we identified some critical code in the files that handled sensitive data and analyzed them properly. It is obvious to us that FluxBB was written with very little attention to the details we analyzed and that FancyBox as a (mostly) client-side plugin was basically irrelevant to many OWASP requirements.