ESAPI Assurance

Revision as of 08:42, 11 December 2008 by SteveChristey (Talk | contribs)

Jump to: navigation, search

Building an Assurance Case for ESAPI

  • consider adopting software facts label
  • identify third-party software
  • discuss coding practices that were followed, skill levels of developers, amount of independent review
  • publish scanning tool results
  • links to DHS web sites and documents

Coding Practices

  • was OWASP Top Ten followed?
  • how was performance and security balanced?
  • what is the level of training of the developers? amount of experience in web development?
  • were tools part of the whole process or run at the end?
  • how was code repository prevented from unauthorized alterations?
  • practices for code check-in and independent review - how is introduction of Trojans avoided?