SoftwareSecurity2012/Group 4
Group nr. 4
Group members:
Willem Burgers, Bas Visser, Kevin Reintjes, Christiaan Thijssen
- Willem Burgers / s0814830
- Bas Visser / s0815004
- Kevin Reintjes / s0814954
- Christiaan Thijssen / s0814970
all from the Radboud University Nijmegen
Topic: Module 2: Private Messaging (New Private Messaging System v1.5.5).
Used method
To perform our security analysis of the Private Messaging System (PMS) module, we used the method described in the OWASP Application Security Verification Standard (ASVS) Project. We performed both an automated (code scanning) analysis as well as a manual (code review) analysis.
We began with trying out some code scanners, namely RIPS and Yasca (with the RATS and PHPLint extensions). Our first impressions and results, as well as some tables and graphs with numbers of errors found, can be found in the Trying out code scanners page (see Deliverables). After this, we began looking at the findings of these tools in more details. Mainly this meant we checked whether the reported finding was indeed a security problem or not (a false positive). The results of this can be found in the Code scanning results page. With this we concluded step 1B of the ASVS method.
After this we continued with step 2B, the manual code analysis. We manually reviewed all files that belonged to our module. We did this with the security requirements listed in the ASVS document in mind. The results of this analysis can be found in the Manual code analysis page. This concluded step 2B of the ASVS method.
Now we were able to verdict the security requirements in the ASVS document. We used the results of our automated and manual analysis to (for each requirement) decide on a verdict. All the requirements with their verdicts are listed in the Verdict on the security requirements page. This also includes a short motivation for each verdict.
The other four deliverables not mentioned above yet contain logs or reflections on the process. The first page (Reflection on the used code scanners) contains our opinion about the used code scanners. In this reflection we also used our finding during the manual analysis, since this could change our opinion (for example because we could have noticed many security problems were missed, leading to false negatives). The second page (Documentation about FluxBB we would have wanted) contains an overview of documentation on FluxBB and/or the PMS module which would be useful when we performed our analysis. The third page (Reflection on the whole process) is a short reflection about the whole process using the ASVS method. We will reflect on what we liked about the ASVS method and what we disliked. Also things that went specifically well or specifically good will be discussed. Finally the fourth page (Log of what we have been doing) will be a log of who did what and when.
