SoftwareSecurity2013/Group 9/Planning

Uit Werkplaats
Ga naar: navigatie, zoeken

Planning second part

Deadline Who What
17-05-2013 Steffen 1B review of Code Correctness and System Information Leak
17-05-2013 Ko 1B review of some other tool
31-05-2013 Jascha 2B of XSS: Persistent and XSS: Poor Validation
31-05-2013 Steffen 2B of XSS: Reflective
31-05-2013 Ko 2B of System Information Leak and Code correctness
7-06-2013 All Verdict on the security requirements, reflection on the whole process
14-06-2013 All Finish everything
19-06-2013 n.v.t. Deadline
21-06-2013 n.v.t. Presentations


Categories:

  • XSS: Persistent
  • XSS: Poor Validation
  • XSS: Reflective
  • Code Correctness: Regular Expressions
  • System Information Leak


RATS: is useless

Other tools:

  • CheckMarx
  • RIPS
  • PHPLint(useless)
  • Yasca (gloriefied grep script)
  • Bugscout
  • Pixie

2B analysis:

  • Analyze all Fortify results point by point.
  • Report for each category about:
  • reason why an issue is a vulnerability;
  • severity of the vulnerability (and does it match with Fortify);
  • how it could be solved.



TODO:

  • Rewrite and refurbish all pages.
  • Verdict on the security requirements.
  • Reflection on the whole process.
  • Finish off everything and make things consistent.