Software Security/Group 9/Reflection

Uit Werkplaats
< Software Security‎ | Group 9
Versie door Erik Poll (overleg | bijdragen) op 5 jul 2011 om 11:12 (Reflection on the whole process)
(wijz) ← Oudere versie | Huidige versie (wijz) | Nieuwere versie → (wijz)
Ga naar: navigatie, zoeken

Reflection on the whole process

  • Code review is a laborious process. Code scanners and guidelines like ASVS might help to make this process easier.
  • Most code scanners focus on particular classes of attacks, such as SQL injection and XSS. During our process, we found out that commercial tools work better than free/open source ones, probably because more efforts are spent to the development of the tools. We, unfortunately, didn't find those tools helpful for the requirement we were looking at.
  • We found out that it is helpful to figure out the architecture of the whole program before starting manual code review, because then we can prioritize our process on relevant files.
  • As might be evident from our logs, we spent much time experimenting with code scanners. This might not be the most effective way to do code review for V2.
  • Applying project management techniques seems to be useful in improving the involvement of all group members.

Erik: good points!