Difference between revisions of "ESAPI Assurance"

From OWASP
Jump to: navigation, search
(New page: == Building an Assurance Case for ESAPI == * consider adopting software facts label * identify third-party software * discuss coding practices that were followed, skill levels of develo...)
 
(Building an Assurance Case for ESAPI)
Line 2: Line 2:
  
 
* consider adopting software facts label
 
* consider adopting software facts label
 +
  http://swaconsortium.org/projects/softwareFacts/softwareFacts.html
  
 
* identify third-party software
 
* identify third-party software
Line 10: Line 11:
  
 
* links to DHS web sites and documents
 
* links to DHS web sites and documents
 +
 +
== Coding Practices ==
 +
 +
* was OWASP Top Ten followed?
 +
 +
* how was performance and security balanced?
 +
 +
* what is the level of training of the developers?  amount of experience in web development?
 +
 +
* were tools part of the whole process or run at the end?
 +
 +
* how was code repository prevented from unauthorized alterations?
 +
 +
* practices for code check-in and independent review - how is introduction of Trojans avoided?

Revision as of 09:42, 11 December 2008

Building an Assurance Case for ESAPI

  • consider adopting software facts label
 http://swaconsortium.org/projects/softwareFacts/softwareFacts.html
  • identify third-party software
  • discuss coding practices that were followed, skill levels of developers, amount of independent review
  • publish scanning tool results
  • links to DHS web sites and documents

Coding Practices

  • was OWASP Top Ten followed?
  • how was performance and security balanced?
  • what is the level of training of the developers? amount of experience in web development?
  • were tools part of the whole process or run at the end?
  • how was code repository prevented from unauthorized alterations?
  • practices for code check-in and independent review - how is introduction of Trojans avoided?