Hulp
Deze pagina aan uw boek toevoegen
Boek weergeven (27 pagina's)
Pagina's suggererenSoftwareSecurity2012/Group 9/Reflection
Reflection on project
The first part of the project was to test automated tools. We tried out YASCA and RIPS: both without satisfying results, although we consider them useful for a global code review. They might point out some vulnerabilities regarding attacks like SQL-injections and XSS, but unfortunately do not take a close look at logging and error handling. To investigate whether the OWASP requirements were met by FluxBB, we needed to manually look through the code. Obviously, we would have spent less time, as well as possibly got more specific results, should there have been an automated tool to analyse the logging and error handling requirements automatically. A disadvantage within our specific group was the lack of (the required level of) php knowledge.
As for the OWASP document, we believe it is very useful for such a standard to exist: it gives a clear distinction between several important issues to be verified within the source code of the forum. However, one should always keep in mind that although all requirements could be met, the code might still contain vulnerabilities. Dividing the subjects between multiple groups seems logical and less time-consuming than letting everyone look at all requirements. Of course, some work is probably still done more than once, but overall we think working in groups is an advantage.
Just like last year's group experienced with phpBB, FluxBB lacks good logging facilities. It would be nice to see a update which includes decent logging, since some requirements could not even be tested.
