SoftwareSecurity2014/Group 3/Reflection
Checking a piece of software you are not very familiar with for security vulnerabilities with OWASP ASVS can take some time. In some cases you will quickly find a counter-example and thereby you prove that a certain validation requirement is not met. In other cases there may be no counter-example or it is hard to find, but you will have to validate all code, before you can say that a validation requirement is met. This can be a lot of work, especially if you don't know the code because you are not the author. It should be a lot easier to validate code while you build it.
We think the ASVS requirements are quite clear, although there also is quite some overlap between the requirements. Not passing one of the requirements often implies the failure of others. Also, ASVS seems to be more useful to use as guidelines when writing the code rather than checking the whole code afterwards. Therefore, we think that being somewhat familiar with these requirements may improve our awareness for security vulnerabilities when programming for future projects.
Because the requirements are quite well defined and separated into different subgroups, it makes perfect sense that the work is split up over different teams, although it does create some overhead, because different groups are trying to understand the same parts of the code.
Although reviewing the code for these OWASP ASVS requirements was somewhat boring, we have achieved something: we should now be more security-aware than before.