all pages now have some content

Author: jgadsden

.wordlist.txt

@@ -429,3 +429,44 @@ enum
 intel
 subcommand
 subcommands
+kubernetes
+modularized
+ChartMuseum
+CMS
+CMSeeK
+Joomla
+WPScan
+Wordpress
+Kube
+Kubeaudit
+doggo
+Ncrack
+bruteforcing
+Nmap
+Whatweb
+Gitleaks
+Semgrep
+SSLyze
+ffuf
+Nikto
+Screenshooter
+OpenAPI
+Trivy
+scalable
+JSR
+Keyczar
+Tink
+Shiro
+OSS
+Sonatype
+DotNet
+HAPI
+NodeJS
+hsecscan
+SecurityHeaders
+Recx
+testssl
+DrHEADer
+csp
+DocX
+MOBI

_data/draft.yaml

@@ -190,33 +190,24 @@ docs:
 - title: '6.2.1 Zed Attack Proxy'
   url: verification/tools/zed_attack_proxy
 
-- title: '6.2.2 Code Pulse'
-  url: verification/tools/code_pulse
-
-- title: '6.2.3 Amass'
+- title: '6.2.2 Amass'
   url: verification/tools/amass
 
-- title: '6.2.4 Offensive Web Testing Framework'
+- title: '6.2.3 Offensive Web Testing Framework'
   url: verification/tools/offensive_web_testing_framework
 
-- title: '6.2.5 Nettacker'
+- title: '6.2.4 Nettacker'
   url: verification/tools/nettacker
 
-- title: '6.2.6 OWASP Secure Headers Project'
+- title: '6.2.5 OWASP Secure Headers Project'
   url: verification/tools/secure_headers
 
 - title: '6.3 Frameworks'
   url: verification/frameworks
 
-- title: '6.3.1 Glue'
-  url: verification/frameworks/glue
-
-- title: '6.3.2 secureCodeBox'
+- title: '6.3.1 secureCodeBox'
   url: verification/frameworks/secure_codebox
 
-- title: '6.3.3 Dracon'
-  url: verification/frameworks/dracon
-
 - title: '6.4 Vulnerability management'
   url: verification/vulnerability_management
 

contributing.md

@@ -2,10 +2,11 @@
 
 ### Contributing
 
-The Developer Guide needs to be updated for the modern security landscape,
-and OWASP is reviving this project to do just that.
-The project has a team of leaders that will oversee the project
-and now we need as many members of the security community as possible to contribute.
+The Developer Guide has been updated for the modern security landscape,
+concentrating less on covering everything in one document and more on introducing a subject/project
+and then suggesting where more in-depth information can be found.
+The project has a team of leaders that oversee the project
+and contributions from members of the security community are positively encouraged.
 
 All contributions and suggestions are certainly welcome, and we ask that
 you follow the [contributing code of conduct][conduct].
@@ -38,13 +39,13 @@ and keeps track of progress towards each milestone.
 ### Style Guide
 
 The Developer Guide will have many contributors, and it is an aim to keep the style of writing similar throughout.
-It would be good to keep to a style used in OWASP flagship projects [ASVS][asvs] and [WSTG][wstg],
+Follow the style used in OWASP flagship projects [ASVS][asvs] and [WSTG][wstg],
 which is speaking from first person plural and semi-formal in tone.
 
 ### Technical level
 
 Generally the guide is aimed at the introductory to medium technical levels,
-and should rarely deal with a subject at an advanced level.
+and should rarely deal with any subject at an advanced level.
 This is a deliberate policy that makes the guide accessible and keeps the length reasonable.
 
 The overview/introduction of the main sections should be aimed at the introductory level,
@@ -54,13 +55,24 @@ instead provide links to these specialist security knowledge bases.
 
 ### Page structure
 
-Each sub-section should deal with one specific subject, for example 'Threat modeling' or 'Digests'.
-The sub-sections ideally follow the same structure:
+Each sub-section should deal with one specific subject, for example 'Threat modeling',
+or a single project such as the OWASP 'Threat Dragon' Builder/Tool project.
 
-1. Overview, summarising the subject at an introductory level
-2. Main body, explaining the subject to a medium/general level
-3. Further reading, providing links to the subject at an advanced/detailed level
-4. Resources, providing links to tools and applications that may be used when working within this domain
+Sub-sections that describe an individual project should follow the same structure:
+
+1. Introduction, summarising the project at a very high level:
+  _supply a couple of sentences on the project including its status as an OWASP project and where to find it_
+2. The 'What', explaining what the project is to a general level:
+  _go into more detail about the project so that a developer can gain an overview of what this project can provide for them_
+3. The 'Why', explaining why developers will want to use the project:
+  _provide more context for project that allows developers to determine whether to use it in their team_
+4. The 'How', describe how to get started with the project
+  _give a brief outline of how the project provides value for a web application development team_
+  _Do not repeat the project documentation itself; ideally provide a primer and a pointer to the project documentation_
+5. Further reading or resources, if any, providing links on the project at an advanced/detailed level
+
+Note that the page describing a project should not be the same as the project documentation on the OWASP site,
+the Developer Guide should strive to be a ' TL;DR ' for the project running to one or maybe two pages.
 
 ### Pull requests
 

draft/02-toc.md

@@ -82,15 +82,12 @@ permalink:
 6.1.3 [Application Security Verification Standard](#application-security-verification-standard)  
 6.2 [Tools](#verification-tools)  
 6.2.1 [Zed Attack Proxy](#zed-attack-proxy)  
-6.2.2 [Code Pulse](#code-pulse)  
-6.2.3 [Amass](#amass)  
-6.2.4 [Offensive Web Testing Framework](#offensive-web-testing-framework)  
-6.2.5 [Nettacker](#nettacker)  
-6.2.6 [OWASP Secure Headers Project](#secure-headers-project)  
+6.2.2 [Amass](#amass)  
+6.2.3 [Offensive Web Testing Framework](#offensive-web-testing-framework)  
+6.2.4 [Nettacker](#nettacker)  
+6.2.5 [OWASP Secure Headers Project](#secure-headers-project)  
 6.3 [Frameworks](#verification-frameworks)  
-6.3.1 [Glue](#glue)  
-6.3.2 [secureCodeBox](#securecodebox)  
-6.3.3 [Dracon](#dracon)  
+6.3.1 [secureCodeBox](#securecodebox)  
 6.4 [Vulnerability management](#verification-vulnerability-management)  
 6.4.1 [DefectDojo](#defectdojo)  
 6.5 [Verification Do's and Don'ts](#verification-dos-and-donts)  

draft/03-introduction.md

@@ -49,8 +49,8 @@ Application developers should try to be familiar with the entire guide;
 it is far harder to write solid applications than to destroy them.
 
 You can regard the purpose of this guide as answering the question:
- “I am a developer and I need a reference source to navigate the numerous projects
- and describe the security activities I really should be doing”
+ “I am a developer and I need a reference guide to describe the security activities I really should be doing
+ and to navigate the numerous security tools and projects”
 
 Or you can regard this guide as a companion document to the OWASP [Application Wayfinder][wayfinder] project:
 the Wayfinder maps out the many OWASP tools, projects and documents with the Developer Guide providing some context.

draft/04-foundations/02-secure-development.md

@@ -76,7 +76,7 @@ There are many OWASP tools and resources to help build security into the SDLC.
     100% include in every project" and this is certainly good advice. Implementing these controls can provide
     a high degree of confidence that the application or system will be reasonably secure.
     OWASP provides two libraries that can be incorporated in web applications,
-    the [Enterprise Security API (ESAPI)][esapi] security control library
+    the [Enterprise Security API (ESAPI)][esapi-project] security control library
     and [CSRFGuard][csrfguard] to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks,
     that help implement these proactive controls. In addition the OWASP [Cheat Sheet Series][cheatproject]
     is a valuable source of information and advice on all aspects of applications security.
@@ -160,7 +160,7 @@ There are many OWASP tools and resources to help build security into the SDLC.
 * [CSRFGuard library][csrfguard]
 * [Dependency-Check Software Composition Analysis (SCA)][depcheck]
 * [Dependency-Track Continuous SBOM Analysis Platform][deptrack]
-* [Enterprise Security API][esapi] (ESAPI)
+* [Enterprise Security API][esapi-project] (ESAPI)
 * [Integration Standards project Application Wayfinder][wayfinder]
 * [Mobile Application Security][mas] (MAS)
 * [Pythonic Threat Modeling][pytm]
@@ -186,7 +186,7 @@ then [submit an issue][issue0402] or [edit on GitHub][edit0402].
 [devsecops]: https://owasp.org/www-project-devsecops-guideline/
 [dojo]: https://www.defectdojo.org/
 [edit0402]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/04-foundations/02-secure-development.md
-[esapi]: https://owasp.org/www-project-enterprise-security-api/
+[esapi-project]: https://owasp.org/www-project-enterprise-security-api/
 [github]: https://github.com/
 [gitlab]: https://about.gitlab.com/
 [issue0402]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-foundations/02-secure-development

draft/06-design/01-threat-modeling/04-cornucopia.md

@@ -38,7 +38,7 @@ Cornucopia provides a [score sheet][cornucopia-score] to help keep track of the
 To provide context each card in the Cornucopia deck references other OWASP projects:
 
 * Application Security Verification Standard ([ASVS][asvs])
-* Secure Coding Practices ([SCP][scp])
+* Secure Coding Practices ([SCP][scp-v21]]) Quick Reference Guide
 * [AppSensor][appsensor]
 
 The SCP has now been incorporated into the now part of the [Developer Guide](../02-web-app-checklist/toc.md)
@@ -89,7 +89,7 @@ then [submit an issue][issue060104] or [edit on GitHub][edit060104].
 [cornucopia-play]: https://owasp.org/www-project-cornucopia#div-play
 [edit060104]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/06-design/01-threat-modeling/04-cornucopia.md
 [issue060104]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=content&template=request.md&title=Update:%2006-design/01-threat-modeling/04-cornucopia
-[scp]: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/assets/docs/OWASP_SCP_Quick_Reference_Guide_v21.pdf
+[scp-v21]: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/assets/docs/OWASP_SCP_Quick_Reference_Guide_v21.pdf
 [spotlight16]: https://youtu.be/NesxjEGX58s
 
 \newpage

draft/07-implementation/01-documentation/02-go-scp.md

@@ -3,7 +3,7 @@
 title: Go Secure Coding Practices
 layout: col-document
 tags: OWASP Developer Guide
-contributors:
+contributors: Jon Gadsden
 document: OWASP Developer Guide
 order: 712
 permalink: /draft/implementation/documentation/go_scp/
@@ -14,32 +14,63 @@ permalink: /draft/implementation/documentation/go_scp/
 
 ### 5.1.2 Go Secure Coding Practices
 
-To Do: supply a couple of sentences on the OWASP Go Secure Coding Practices (SCP) documentation project,
-including its status as an OWASP project and where to find it.
+The OWASP Go Secure Coding Practices (Go-SCP) is a set of software secure coding practices for Go.
 
-#### What is Go SCP?
+The Go-SCP [documentation project][go-scp-project] is an OWASP Incubator Project
+that has enough long term support to achieve Lab status soon.
+The document can be [downloaded in various formats][go-scp-download] from the github repo.
 
-To Do: go into more detail about the Go SCP project so that a developer
-can gain an overview of what this documentation project can provide for them.
+#### What is Go-SCP?
 
-#### Why use Go SCP?
+Go-SCP provides examples and recommendations to help developers avoid common mistakes and pitfalls,
+including code examples in Go that provide practical guidance on implementing the recommendations.
+Go-SCP covers the OWASP [Secure Coding Practices Quick Reference Guide][scp-qrf] topic-by-topic:
 
-To Do: provide more context for Go SCP that allows developers to determine whether to use it in their project.
+* Input Validation
+* Sanitization Output Encoding
+* Authentication and Password Management
+* Session Management
+* Access Control
+* Cryptographic Practices
+* Error Handling and Logging
+* Data Protection
+* Communication Security
+* System Configuration
+* Database Security
+* File Management
+* Memory Management
+* General Coding Practices
 
-#### How to apply Go SCP
+The [Go Secure Coding Practices][go-scp-project] book is available in various formats:
 
-To Do: give a brief outline of how applying the Go SCP project provides value for a development team.
-Do not repeat the project documentation itself; ideally provide a primer and a pointer to the documentation.
+* PDF
+* ePub
+* DocX
+* MOBI
 
-----
+#### Why use Go-SCP?
 
-![Developer Guide](../../../assets/images/dg_wip.png "OWASP Developer Guide")
+Development teams often need help and support in getting the security right for web applications,
+and part of this help comes from secure coding guidelines and best practices.
+Go-SCP provides this guidance for a wide range of secure coding topics as well as providing practical code examples.
 
-The OWASP Developer Guide is a community effort and this page needs some content to be added.
-If you have suggestions then [submit an issue][issue070102] and the project team can assign it to you,
-or provide new content [direct on GitHub][edit070102].
+#### How to use Go-SCP?
+
+The primary audience of the Go Secure Coding Practices Guide is developers,
+particularly the ones with previous experience with other programming languages.
+
+Download the [Go-SCP document][go-scp-download] in one of the formats: PDF, ePub, DocX and MOBI.
+Refer to the specific topic chapter and then use the example Go code snippets for practical guidance on secure coding in Go.
+
+----
+
+The OWASP Developer Guide is a community effort; if there is something that needs changing
+then [submit an issue][issue070102] or [edit on GitHub][edit070102].
 
-[issue070102]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=content&template=request.md&title=Update:%2007-implementation/01-documentation/02-go-scp
 [edit070102]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/07-implementation/01-documentation/02-go-scp.md
+[go-scp-download]: https://github.com/OWASP/Go-SCP/tree/master/dist
+[go-scp-project]: https://owasp.org/www-project-go-secure-coding-practices-guide/
+[issue070102]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=content&template=request.md&title=Update:%2007-implementation/01-documentation/02-go-scp
+[scp-qrf]: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/
 
 \newpage