SoftwareSecurity2012/Group 8/Wanted Documentation

Describe the sort of documentation you would have wanted about FluxBB, to make your security review easier.

This can be design decisions, description of the overall architecture and organisation, policies used in the application, styles or guidelines adhered to in the actual coding.

In order to make the security review easier it would have been great if the developers had provided an overview of how the different modules and sourcefiles are related. A diagram of the framework with all its components would really help to see which parts of the sourcecode might be affected by a certain type of vulnerability.

It would also have been nice if the developers had listed the design decisions they made, along with reasons to why they chose a particular method. The threat model they used to secure the application would also have been a great help, as anything not in the model would probably not be caught in the input validation functions.

It seems that the developers used the OWASP requirements list, or something similar as a guideline. Even if they didn't strictly follow such a list, it helps to know what kind of things they tried to prevent in their designs.

(Erik: You could be a bit more specific for V5 here. For V5 in particular, more specific documentation that would be useful might be a list of the different types of input the application has to deal with (usernames, profile pictures, forum content, etc) and for each the policy on how to validate them, and reference to the piece of code responsible for implementing it.