Software Security/Group 7/Reflection
Uit Werkplaats
< Software Security | Group 7
Versie door Peter Gyorok (overleg | bijdragen) op 22 jun 2011 om 16:04
- It's a huge system to apply in a website. It costs a lot of time, the majority of the people just apply it in the critical parts in the website.
- The OWASP is a very abstract description of the requirements. It doesn't define the concepts it uses (e.g. function vs service vs direct object reference). Neither does it give any instructions or even guidelines on how to go about actually verifying them.
- By applying this technique to an already finished project, we can be sure that it will never pass all the requirements unless it was already designed with the requirements in mind.
- It would make more sense to check these requirements in development time and include them in the design process.
- Trying to verify the requirements by an external person requires that person gain as much familiarity with the project as if he created it. This also strengthens the previous point - we can save resources by having fewer people "learn" the project.