search

billyJoePiano / TenaPull

TenaPull is a configurable Java application which fetches and processes the data from one or more Nessus APIs, and converts it into JSON ouputs that are usable by Splunk
7 stars 1 forks source link

Peer feedback #4

Closed cdmckinley closed 2 years ago

cdmckinley commented 2 years ago

Design/Code Review 1

Project:

NessusTools ​

Developer:

​Bill Anderson

Reviewer:

Craig McKinley ​ Item Considerations Comments/Suggestions
Reviewer comments and suggestions go here. Each item should have at least one "kudos" and two suggestions for improvement
Problem Statement 1. Accurately describes project purpose
2. Is professional and free of typos, slang, etc.
3. Fully explains the problem and the solution
4. Is understandable by the average person		 You seem to have some really good ideas here! Access to the scanning of vulnerabilities is definitely important for security purposes. As I'm more focused on code than security with my studies, I have a bit of a difficult time understanding some terminology.
Design Documentation 1. Navigation/flow through the application is logical and easy to use.
2. The order in which values are displayed are logical and easy to understand/use
3. The order in which the form fields entered are logical and easy to understand/use
4. All data discussed/documented (problem statement, flow, db design, etc.) is represented on the screens		 This screen design looks great for getting the information quickly and in detail. I also like how you're highlighting vulnerabilities, as that will save a lot of time for the user. I wonder how this would look on a mobile device, as theirs a lot of information here.
Data model/Database 1. Everything on the screens and problem statement/flow is represented in the model
2. There is at least one 1-to-many relationship.
3. The model represents good database design
This would be good to start soon. I'm sure it will be great :slightly_smiling_face:
Code 1. Proper Maven project structure is used
2. a .gitignore file for IntelliJ Java projects has been implemented
3. There is not any redundant or copy/paste code in the JSPs or classes
4. Classes are appropriately-sized (no monster classes)
Property files are used appropriately: no hard-coded values
5. Logging statements are used rather than System.out.println and printStackTrace.
6. There are appropriate unit tests/code coverage.		 This would be good to start soon. I'm sure it will be great :slightly_smiling_face:

​ ​ ​ ​ ​ ​

billyJoePiano commented 2 years ago

@cdmckinley Thanks for the feedback.

It's good to hear from two people not as well versed in the cyber-security world. I suppose it might be good to explain some of the concepts better. I should mention that the primary users of this are going to be in either security or security-adjacent technology-services roles (e.g. Server Admin, Desktop Engineering, etc).

Regarding the mobile device question... I think this is going to be designed for desktop only at this point. It would just have too much detailed information to display well on a mobile phone, although that could be a good iteration 2 idea. One of the other ideas proposed by my cyber security supervisors was a native mobile app for Splunk, but that didn't seem to fit the nature of the project requirements. Being a browser-based client-side UI, I suppose I could try to incorporate mobile design into it as well, but I see that as being a somewhat lower priority at this point