Software Security/Group 9/Reflection
Uit Werkplaats
< Software Security | Group 9
Reflection on the whole process
- Code review is a laborious process. Code scanners and guidelines like ASVS might help to make this process easier.
- Most code scanners focus on particular classes of attacks, such as SQL injection and XSS. During our process, we found out that commercial tools work better than free/open source ones, probably because more efforts are spent to the development of the tools. We, unfortunately, didn't find those tools helpful for the requirement we were looking at.
- We found out that it is helpful to figure out the architecture of the whole program before starting manual code review, because then we can prioritize our process on relevant files.
- As might be evident from our logs, we spent much time experimenting with code scanners. This might not be the most effective way to do code review for V2.
- Applying project management techniques seems to be useful in improving the involvement of all group members.
Erik: good points!