move dos and donts to appendices

Author: jgadsden

.wordlist.txt

@@ -480,3 +480,5 @@ proscriptive
 devsecops
 Janca
 Tesauro
+SAFEcode
+Ecommerce

README.md

@@ -42,7 +42,7 @@ is via the OWASP Slack [#project-developer-guide][project] project channel
 
 ----
 
-OWASP Developer Guide: _accessible security for system and application developers_
+OWASP Developer Guide: _accessible security for developers_
 
 [conduct]: code_of_conduct.md
 [guide]: contributing.md

_data/draft.yaml

@@ -4,7 +4,7 @@ docs:
 - title: '1. Introduction'
   url: introduction
 
-- title: '2. Foundations'
+- title: '*2. Foundations*'
   url: foundations
 
 - title: '2.1 Security fundamentals'
@@ -142,33 +142,6 @@ docs:
 - title: '5.3.3 OWASP Secure Headers Project'
   url: implementation/secure_libraries/secure_headers
 
-- title: '5.4 Implementation Do''s and Don''ts'
-  url: implementation/dos_donts
-
-- title: '5.4.1 Container security'
-  url: implementation/dos_donts/container_security
-
-- title: '5.4.2 Secure coding'
-  url: implementation/dos_donts/secure_coding
-
-- title: '5.4.3 Cryptographic practices'
-  url: implementation/dos_donts/cryptographic_practices
-
-- title: '5.4.4 Application spoofing'
-  url: implementation/dos_donts/application_spoofing
-
-- title: '5.4.5 Content Security Policy (CSP)'
-  url: implementation/dos_donts/content_security_policy
-
-- title: '5.4.6 Exception and error handling'
-  url: implementation/dos_donts/exception_error_handling
-
-- title: '5.4.7 File management'
-  url: implementation/dos_donts/file_management
-
-- title: '5.4.8 Memory management'
-  url: implementation/dos_donts/memory_management
-
 - title: '6. Verification'
   url: verification
 
@@ -214,18 +187,6 @@ docs:
 - title: '6.4.1 DefectDojo'
   url: verification/vulnerability_management/defectdojo
 
-- title: '6.5 Verification Do''s and Don''ts'
-  url: verification/dos_donts
-
-- title: '6.5.1 Secure environment'
-  url: verification/dos_donts/secure_environment
-
-- title: '6.5.2 System hardening'
-  url: verification/dos_donts/system_hardening
-
-- title: '6.5.3 Open Source software'
-  url: verification/dos_donts/open_source_software
-
 - title: '7. Training and Education'
   url: training_education
 
@@ -330,3 +291,45 @@ docs:
 
 - title: '11.2 Bug Logging Tool'
   url: security_gap_analysis/bug_logging_tool
+
+- title: '12. Appendices'
+  url: appendices
+
+- title: '12.1 Implementation Do''s and Don''ts'
+  url: appendices/implementation_dos_donts
+
+- title: '12.1.1 Container security'
+  url: appendices/implementation_dos_donts/container_security
+
+- title: '12.1.2 Secure coding'
+  url: appendices/implementation_dos_donts/secure_coding
+
+- title: '12.1.3 Cryptographic practices'
+  url: appendices/implementation_dos_donts/cryptographic_practices
+
+- title: '12.1.4 Application spoofing'
+  url: appendices/implementation_dos_donts/application_spoofing
+
+- title: '12.1.5 Content Security Policy (CSP)'
+  url: appendices/implementation_dos_donts/content_security_policy
+
+- title: '12.1.6 Exception and error handling'
+  url: appendices/implementation_dos_donts/exception_error_handling
+
+- title: '12.1.7 File management'
+  url: appendices/implementation_dos_donts/file_management
+
+- title: '12.1.8 Memory management'
+  url: appendices/implementation_dos_donts/memory_management
+
+- title: '12.2 Verification Do''s and Don''ts'
+  url: appendices/verification_dos_donts
+
+- title: '12.2.1 Secure environment'
+  url: appendices/verification_dos_donts/secure_environment
+
+- title: '12.2.2 System hardening'
+  url: appendices/verification_dos_donts/system_hardening
+
+- title: '12.2.3 Open Source software'
+  url: appendices/verification_dos_donts/open_source_software

draft/02-toc.md

@@ -65,15 +65,6 @@ permalink:
 5.3.1 [Enterprise Security API library](#enterprise-security-api-library)  
 5.3.2 [CSRFGuard library](#csrfguard-library)  
 5.3.3 [OWASP Secure Headers Project](#owasp-secure-headers-project)  
-5.4 [Implementation Do's and Don'ts](#implementation-dos-and-donts)  
-5.4.1 [Container security](#container-security)  
-5.4.2 [Secure coding](#secure-coding)  
-5.4.3 [Cryptographic practices](#cryptographic-practices)  
-5.4.4 [Application spoofing](#application-spoofing)  
-5.4.5 [Content Security Policy (CSP)](#content-security-policy)  
-5.4.6 [Exception and error handling](#exception-and-error-handling)  
-5.4.7 [File management](#file-management)  
-5.4.8 [Memory management](#memory-management)  
 
 6 **[Verification](#verification)**  
 6.1 [Guides](#verification-guides)  
@@ -90,10 +81,6 @@ permalink:
 6.3.1 [secureCodeBox](#securecodebox)  
 6.4 [Vulnerability management](#verification-vulnerability-management)  
 6.4.1 [DefectDojo](#defectdojo)  
-6.5 [Verification Do's and Don'ts](#verification-dos-and-donts)  
-6.5.1 [Secure environment](#secure-environment)  
-6.5.2 [System hardening](#system-hardening)  
-6.5.3 [Open Source software](#open-source-software)  
 
 7 **[Training and Education](#training-and-education)**  
 7.1 [Vulnerable Applications](#vulnerable-applications)  
@@ -135,4 +122,19 @@ permalink:
 11.1.3 [Mobile Application Security](#mobile-application-security)  
 11.2 [Bug Logging Tool](#bug-logging-tool)  
 
+12 **[Appendices](#appendices)**  
+12.1 [Implementation Do's and Don'ts](#implementation-dos-and-donts)  
+12.1.1 [Container security](#container-security)  
+12.1.2 [Secure coding](#secure-coding)  
+12.1.3 [Cryptographic practices](#cryptographic-practices)  
+12.1.4 [Application spoofing](#application-spoofing)  
+12.1.5 [Content Security Policy (CSP)](#content-security-policy)  
+12.1.6 [Exception and error handling](#exception-and-error-handling)  
+12.1.7 [File management](#file-management)  
+12.1.8 [Memory management](#memory-management)  
+12.2 [Verification Do's and Don'ts](#verification-dos-and-donts)  
+12.2.1 [Secure environment](#secure-environment)  
+12.2.2 [System hardening](#system-hardening)  
+12.2.3 [Open Source software](#open-source-software)  
+
 \newpage

draft/06-design/01-threat-modeling/02-pytm.md

@@ -14,7 +14,7 @@ permalink: /draft/design/threat_modeling/pytm/
 
 <style type="text/css">
 .image-right {
-  height: 180px;
+  height: 200px;
   display: block;
   margin-left: auto;
   margin-right: auto;
@@ -101,6 +101,15 @@ mkdir -p tm
 ./tm.py --seq | java -Djava.awt.headless=true -jar $PLANTUML_PATH -tpng -pipe > tm/seq.png
 ```
 
+#### References
+
+* [Graphviz][graphviz]
+* [pandoc][pandoc]
+* [PlantUML][plantuml]
+* [pytm][pytmrepo]
+* [Spotlight][spotlight06] on pytm
+* [Threat Modeling: a practical guide for development teams][TMchap4]
+
 ----
 
 The OWASP Developer Guide is a community effort; if there is something that needs changing

draft/06-design/01-threat-modeling/04-cornucopia.md

@@ -36,26 +36,63 @@ Cornucopia provides a [set of cards][cornucopia-cards] designed to gamify threat
 This is designed so that agile development teams can identify weaknesses in web applications
 and then record remediations or requirements.
 
-Cornucopia comes with the cards in various suits that cover the various security domains:
+There are three versions of the Cornucopia deck of threat modeling cards:
 
-* Data validation and encoding
+* Website App Edition
+* Mobile App Edition
+* Enterprise App Edition
+
+The decks come with different suits according to the application, and always contain a 'Cornucopia' suit.
+
+There is no one 'right' way to play Cornucopia but there is a suggested [set of rules][cornucopia-play]
+to start the game off.
+Cornucopia provides a [score sheet][cornucopia-score] to help keep track of the game session and to record outcomes.
+
+#### Website App Edition
+
+Each card in the Website App deck describes a common error or anti-pattern that allows systems to be vulnerable to attack.
+Vulnerabilities are arranged in domains as five key suits, with the additional Cornucopia suit ranging across domains:
+
+* Data Validation and Encoding
 * Authentication
-* Session management
+* Session Management
 * Authorization
 * Cryptography
 * Cornucopia
 
-There is no one 'right' way to play Cornucopia but there is a suggested [set of rules][cornucopia-play]
-to start the game off.
-Cornucopia provides a [score sheet][cornucopia-score] to help keep track of the game session and to record outcomes.
+To provide context the Cornucopia Website App cards reference other projects:
 
-To provide context each card in the Cornucopia deck references other OWASP projects:
+* OWASP Application Security Verification Standard ([ASVS][asvs])
+* OWASP Secure Coding Practices ([SCP][scp-v21]]) quick reference guide
+* OWASP [AppSensor][appsensor]
+* Mitre's Common Attack Pattern Enumeration and Classification ([CAPEC][capec])
+* [SAFEcode][safecode]
 
-* Application Security Verification Standard ([ASVS][asvs])
-* Secure Coding Practices ([SCP][scp-v21]]) Quick Reference Guide
-* [AppSensor][appsensor]
+The SCP quick reference guide has now been incorporated as part of this [Developer Guide](../02-web-app-checklist/toc.md).
 
-The SCP reference guide has now been incorporated into part of the [Developer Guide](../02-web-app-checklist/toc.md) itself.
+#### Mobile App Edition
+
+Similarly to the website application deck, the mobile application deck has five domains/suits,
+with Cornucopia cross domain:
+
+* Platform and Code
+* Authentication and Authorization
+* Network and Storage
+* Resilience
+* Cryptography
+* Cornucopia
+
+To provide context the Cornucopia Mobile App cards reference other projects:
+
+* OWASP Mobile Application Security Verification Standard ([MASVS][masvs])
+* OWASP Mobile Application Security Testing Guide ([MASTG][mastg])
+* Mitre's Common Attack Pattern Enumeration and Classification ([CAPEC][capec])
+* [SAFEcode][safecode]
+
+#### Ecommerce Website Edition
+
+This is the original Cornucopia deck and has the same domains/suits, including the Cornucopia cross domain suit,
+as the Website App Edition. Some of the vulnerabilities are specific to Ecommerce, and it references the same projects.
 
 #### Why use it?
 
@@ -90,19 +127,35 @@ The suggested order of play is:
 Remember that the outcome of the game is to identify possible threats and propose remediations,
 as well as having a good time.
 
+#### References
+
+* [AppSensor][appsensor]
+* Application Security Verification Standard, [ASVS][asvs]
+* Common Attack Pattern Enumeration and Classification, [CAPEC][capec]
+* [Cornucopia][cornucopia]
+* Mobile Application Security Verification Standard, [MASVS][masvs])
+* Mobile Application Security Testing Guide, [MASTG][mastg])
+* [Secure Coding Practices][scp-v21] quick reference guide
+* [SAFEcode][safecode]
+* [Spotlight][spotlight16] on Cornucopia
+
 ----
 
 The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue060104] or [edit on GitHub][edit060104].
 
 [appsensor]: https://owasp.org/www-project-appsensor/
 [asvs]: https://owasp.org/www-project-application-security-verification-standard/
+[capec]: https://capec.mitre.org/
 [cornucopia]: https://owasp.org/www-project-cornucopia/
 [cornucopia-cards]: https://owasp.org/www-project-cornucopia#div-cards
 [cornucopia-score]: https://owasp.org/www-project-cornucopia/assets/files/Cornucopia-scoresheet.pdf
 [cornucopia-play]: https://owasp.org/www-project-cornucopia#div-play
 [edit060104]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/06-design/01-threat-modeling/04-cornucopia.md
 [issue060104]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=content&template=request.md&title=Update:%2006-design/01-threat-modeling/04-cornucopia
+[mastg]: https://mas.owasp.org/MASTG/
+[masvs]: https://mas.owasp.org/MASVS/
+[safecode]: https://safecode.org/
 [scp-v21]: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/assets/docs/OWASP_SCP_Quick_Reference_Guide_v21.pdf
 [spotlight16]: https://youtu.be/NesxjEGX58s
 

draft/06-design/03-mas-checklist.md

@@ -29,17 +29,15 @@ permalink: /draft/design/mas_checklist/
 The OWASP [Mobile Application Security][masproject] (MAS) flagship project has the mission statement:
 "Define the industry standard for mobile application security".
 
-The MAS project covers the processes, techniques, and tools used for security testing a mobile application,
-as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.
 The OWASP MAS project provides the [Mobile Application Security Verification Standard][masvs] (MASVS)
 for mobile applications and a comprehensive [Mobile Application Security Testing Guide][mastg] (MASTG).
 
 The [Mobile Application Security Checklist][masc] contains links to the MASTG test cases for each MASVS control.
 
 #### What is MAS Checklist?
 
-The MAS Checklist provides a checklist that keeps track of the MASTG test cases for each MASVS control,
-and the checklist is split out into categories that match the MASVS categories:
+The MAS Checklist provides a checklist that keeps track of the MASTG test cases for a given MASVS control.
+This MAS Checklist is split out into categories that match the MASVS categories:
 
 * [MASVS-STORAGE](https://mas.owasp.org/checklists/MASVS-STORAGE/) sensitive data storage
 * [MASVS-CRYPTO](https://mas.owasp.org/checklists/MASVS-CRYPTO/) cryptography best practices
@@ -65,6 +63,12 @@ The [spreadsheet download][masxls] allows the status of each test to be recorded
 with a separate sheet for each MASVS category.
 This record of test results can be used as evidence for compliance purposes.
 
+#### References
+
+* Mobile Application Security ([MAS][masproject]) project
+* MAS [Checklist][masc]
+* MAS Verification Standard ([MASVS][masvs])
+
 ----
 
 The OWASP Developer Guide is a community effort; if there is something that needs changing

draft/07-implementation/00-toc.md

@@ -49,15 +49,6 @@ Sections:
 5.3.1 [Enterprise Security API library](#enterprise-security-api-library)  
 5.3.2 [CSRFGuard library](#csrfguard-library)  
 5.3.3 [OWASP Secure Headers Project](#owasp-secure-headers-project)  
-5.4 [Implementation Do's and Don'ts](#implementation-dos-and-donts)  
-5.4.1 [Container security](#container-security)  
-5.4.2 [Secure coding](#secure-coding)  
-5.4.3 [Cryptographic practices](#cryptographic-practices)  
-5.4.4 [Application spoofing](#application-spoofing)  
-5.4.5 [Content Security Policy (CSP)](#content-security-policy)  
-5.4.6 [Exception and error handling](#exception-and-error-handling)  
-5.4.7 [File management](#file-management)  
-5.4.8 [Memory management](#memory-management)  
 
 ----
 

draft/07-implementation/toc.md

@@ -62,15 +62,6 @@ Sections:
 5.3.1 [Enterprise Security API library](03-secure-libraries/01-esapi.md)  
 5.3.2 [CSRFGuard library](03-secure-libraries/02-csrf-guard.md)  
 5.3.3 [OWASP Secure Headers Project](03-secure-libraries/03-secure-headers.md)  
-5.4 [Implementation Do's and Don'ts](04-dos-donts/toc.md)  
-5.4.1 [Container security](04-dos-donts/01-container-security.md)  
-5.4.2 [Secure coding](04-dos-donts/02-secure-coding.md)  
-5.4.3 [Cryptographic practices](04-dos-donts/03-cryptographic-practices.md)  
-5.4.4 [Application spoofing](04-dos-donts/04-application-spoofing.md)  
-5.4.5 [Content Security Policy (CSP)](04-dos-donts/05-content-security-policy.md)  
-5.4.6 [Exception and error handling](04-dos-donts/06-exception-error-handling.md)  
-5.4.7 [File management](04-dos-donts/07-file-management.md)  
-5.4.8 [Memory management](04-dos-donts/08-memory-management.md)  
 
 ----
 

draft/08-verification/00-toc.md

@@ -51,10 +51,6 @@ Sections:
 6.3.1 [secureCodeBox](#securecodebox)  
 6.4 [Vulnerability management](#verification-vulnerability-management)  
 6.4.1 [DefectDojo](#defectdojo)  
-6.5 [Do's and Don'ts](#verification-dos-and-donts)
-6.5.1 [Secure environment](#secure-environment)  
-6.5.2 [System hardening](#system-hardening)  
-6.5.3 [Open Source software](#open-source-software)  
 
 ----