SoftwareSecurity2014/Group 9/Log
Inhoud
April 3th 2014
First meeting, mainly discussed the open-source project we'd like to analyze. Several suggestions were made including Wordpress, PHPBB, MediaWiki and Joomla. We eventually decided to stick with phpBB. Next week's assignment is planned and by then we should have all our group requirements set up (shared filespace, contact-groups etc.).
April 9th 2014
Second meeting, We decided to check for two versions of phpBB, versions: phpBB3.0.0 from 2007 and phpBB3.0.7 from 2010. We generated class documentation for both versions using PHPDocumenter Each of the members were given the assignment to work his/her way through some of phpBBs documentation, review some of our class documentation and see if we can all get Fortify running for next week.
- Roeland: Installed Fortify.
- Stijn: Installed/Verified Fortify. Installed phpBB. Started discovering phpBB.
- Kim: Installed Fortify.
- Joep: Installed en run Fortify, studied on the OWASP ASVS.
- Joey: Ran PHPDocumenter, Installed/Verified Fortify. Checked some of the critical issues to analyse differences between phpBB's versions.
April 16th 2014
Third meeting, we analyzed both versions of phpBB and decided to stick with the 3.0.7 version. The phpBB 3.0.0 version had significant more errors where most of them were trivial errors due to old coding standards, so we decided stick with a more up-to-date version of phpBB for possibly more interesting security errors :). During the meeting we set up RIPS as well and reviewed a small portion of Foritfy's errors. Most of its errors were false positives, but some true positives were found. We reviewed the OWASP verification documents/requiremetns and gave each member individual assignments for next related to our verification requirements. It is interesting to note that we made a rather strange obversation. When we runned Foritfy on the most recent version of phpBB, fority generated a total of 3500 issues, which is more than twice the amount of our 3.0.7. version which seems rather odd. Also, one of our group members used the UNIX version of Fority, giving slight variations on the issue count, we eventually found out the UNIX version is a different version than the windows version.
- Roeland: Analyzed Fortify critical issues.
- Stijn: Ran a basic analysis with Fortify on the source code and started checking a few issues to see how Fortify works. We decided I would be diving into requirement 2.2 for checking the echoing of passwords to the user.
- Kim: Analyzed cryptography issues of the Fortify scan.
- Joep: Scanned trough the fortify results, installed Rats, started documentation
- Joey: Installed RIPS on our shared filespace, ran a basic scan analysis on our source code. Joep and I decided to verify the authentication requirements 2.1 for checking publicly available files for authentication. Verify how Fortify operates and come up with a tool/script that does semantic analysis
April 23th 2014
Fourth meeting, we planned to finish each of our assignments and generate the results of our software verification of stage 1B. Most of our verification work was close to ready, so the goal of today was to finish those and start on the final documentation. We decided to stick to the structure of the OWASP report requirements and started generating our report using its structure. We also started updating our wiki, transforming our log files to wiki-readable content. We analyzed and documented our findings on our security requirements for Authentication/Verification and briefly analyzed all our issues in Fority, RIPS and RATS. We concluded our meeting with assignments mainly focused on our final report.
- Roeland: Analyzed Fortify results, wrote a reflection on Fortify
- Stijn: Discuss the results of last week and worked out the Password Management related issues from Fortify and RIPS. Started working on the final documentation.
- Kim: Installed RIPS and analyzed results of scan.
- Joep: Wrote first parts of the verification wiki page.
- Joey: Discuss results of last week, start focusing on writing the final documentation. Ran some extra scans where necessary.
April 30th 2014
Fifth meeting, today's plan is to work on our reports and finish our documentation wherever we can. Some issues still came up where we required some extra verification (like the install folder which was publicly available). Most of the work today was focussed on the finishing the scan verification and discussion document.
- Roeland: Ran RATS, analyzed it's results and wrote a reflection on it. Also wrote a conclusion on the reflection on code scanning tools.
- Stijn:
- Kim: Wrote report on RIPS.
- Joep: More writing on the report.
- Joey: Finish my section of the report and do the final reading of our documentation before the 5th of May.
May 5th 2014
6th meeting, Discussed the content of the second assignment. We reviewed the requirements, the initial setup and divided all our requirements into several groups for us to work in. Each member of the group has the individual assignment to manually verify and analyze the given verification/cryptographic requirements a week before the deadilne. This also includes writing the documentation required for each of your individual requirements.
- Roeland: Assigned the Login and creation group: 2.2, 2.3, 2.4, 2.7, 2.11
- Joep: Assigned the Authentication mechanisms group: 2.5, 2.6
- Joey: Assigned the Private files group: 2.1, 2.8, 2.9, 2.10,
- Kim: Assigned the Logging and error management group: 2.12, 7.2, 7.5
- Stijn: Assigned the Crypto group: 7.1, 7.3, 7.4, 7.6, 2.13, 2.14
May 15th 2014
7th meeting, Discussed some of the issues we had during manual code verification last week. After a general discussion we continued scanning and verifying the individual requirements that were assigned to us.
- Roeland: Started validating the assigned requirements.
- Joep: started reading of authentication code.
- Joey: Started finishing the work of verification requirement 2.1 (which was a lot really). The tool did not provide any help regarding this requirement so manual code verification on the complete source code had to be done to verify this requirement. These were done for all the mentioned public files in our 1B report.
- Kim:
- Stijn: Started working on the assigned requirements, mainly requirement V7.4.
May 21th 2014
8th meeting, Started again with a general discussion of our progress so far. Everbody is making good progress and our 'agreed-upon' deadline to finish the analysis by next week seems to be do-able. Then we can focus the last week on translating our verification notes to the 2B report and start working on a coherent combined report of all our analysis for the final 2B report.
- Roeland: Continued validating the requirements; finished it later, in advance of the next meeting, because of planned absence.
- Joep: Writing findings of code analysis authentication classes.
- Joey: Close to finishing all the requirements. What's left to do next week is to verify the notes, do some extra verifying on specific functions/modules and the requirement analysis should be complete by then. Completing the verification analysis should be complete by next week for my requirements including a small description about each of the requirements/issues found.
- Kim:
- Stijn: Continued working on the requirements. V7.4 took more time than planned, but 7.6 and 7.1 were easier to find.
May 28th 2014
9th meeting, Some of the work is (at least the findings) is finished by now and where possible we started to work on the documentation for each of our assigned security requirements.
- Roeland:
- Joep:
- Joey: Finished the findings of the assigned security requirements. Processed the individual notes to a coherent collection of words for the wiki's pages. Also started working this week where possible on some of the introductory chapters of the 2B report.
- Kim:
- Stijn
June 4th 2014
10th meeting, Discussed the process of the project and OWASP and made a first final version of the wiki.
- Roeland:
- Joep: Finished code analysis and wrote parts of the process reflection.
- Joey: Finished the document sections of the code analysis, finished the process reflection part and worked through the entire document, fixing any typos or grammatical errors along the way.
- Kim:
- Stijn: Writing part of the report and reading and checking the texts.
June 5th 2014
Last few bytes, Everybody had its final tasks assigned to polish the final version of our 2B report; today we focussed on polishing all the details so our report is finished by tommorow.
- Roeland:
- Joep:
- Joey: Did another re-read of the entire document, updating some of the contents to be more consistent with the document as a whole. Also polished some of my previous sections where possible.
- Kim:
- Stijn: