Revision as of 08:42, 11 December 2008 by SteveChristey
Building an Assurance Case for ESAPI
- consider adopting software facts label
- identify third-party software
- discuss coding practices that were followed, skill levels of developers, amount of independent review
- publish scanning tool results
- links to DHS web sites and documents
- was OWASP Top Ten followed?
- how was performance and security balanced?
- what is the level of training of the developers? amount of experience in web development?
- were tools part of the whole process or run at the end?
- how was code repository prevented from unauthorized alterations?
- practices for code check-in and independent review - how is introduction of Trojans avoided?