add more references to the Security Culture project

jgadsden · web-flow · commit d489c3babf75 · 2024-11-30T16:15:59.000Z
diff --git a/draft/04-foundations/00-toc.md b/draft/04-foundations/00-toc.md
@@ -24,6 +24,12 @@ software security for the application or system under development.
 This Developer Guide can only give a brief overview of these concepts,
 for in-depth knowledge refer to the many texts on security such as the [The Cyber Security Body Of Knowledge][cbok].
 
+If changes are being introduced to the security culture of an organization
+then make sure there is management buy-in and clear goals to achieve.
+Without these then attempts to improve the security posture will probably fail - see the
+[Security Culture][culturegoal] project for the importance of getting management,
+security and development teams working together.
+
 Sections:
 
 2.1 [Security fundamentals](#security-fundamentals)  
@@ -37,6 +43,7 @@ Sections:
 The OWASP Developer Guide is a community effort; if there is something that needs changing then [submit an issue][issue0400].
 
 [cbok]: https://www.cybok.org/
+[culturegoal]: https://owasp.org/www-project-security-culture/stable/3-Goal_Setting_and_Security_Team_Collaboration/
 [issue0400]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-foundations/00-toc
 
 \newpage
diff --git a/draft/04-foundations/02-secure-development.md b/draft/04-foundations/02-secure-development.md
@@ -26,6 +26,8 @@ permalink: /draft/foundations/secure_development/
 
 Secure development is described in the OWASP Software Assurance Maturity Model [(SAMM)][samm]
 [Design][sammd], [Implementation][sammi] and [Verification][sammv] business functions.
+Also refer to the [Security Culture][culturewhy] for a good explanation
+on why adding security into the software development lifecycle is important.
 
 #### Prelude
 
@@ -204,6 +206,7 @@ then [submit an issue][issue0402] or [edit on GitHub][edit0402].
 [csproject]: https://owasp.org/www-project-cheat-sheets/
 [csrfguard]: https://owasp.org/www-project-csrfguard/
 [culture]: https://owasp.org/www-project-security-culture/
+[culturewhy]: https://owasp.org/www-project-security-culture/stable/2-Why_Add_Security_In_Development_Teams/
 [cyclone]: https://owasp.org/www-project-cyclonedx/
 [depcheck]: https://owasp.org/www-project-dependency-check/
 [deptrack]: https://dependencytrack.org/
diff --git a/draft/04-foundations/toc.md b/draft/04-foundations/toc.md
@@ -35,6 +35,12 @@ software security for the application or system under development.
 This Developer Guide can only give a brief overview of these concepts,
 for in-depth knowledge refer to the many texts on security such as the [The Cyber Security Body Of Knowledge][cbok].
 
+If changes are being introduced to the security culture of an organization
+then make sure there is management buy-in and clear goals to achieve.
+Without these then attempts to improve the security posture will probably fail - see the
+[Security Culture][culturegoal] project for the importance of getting management,
+security and development teams working together.
+
 Sections:
 
 2.1 [Security fundamentals](01-security-fundamentals.md)  
@@ -49,5 +55,6 @@ The OWASP Developer Guide is a community effort; if there is something that need
 then [submit an issue][issue0400] or [edit on GitHub][edit0400].
 
 [cbok]: https://www.cybok.org/
+[culturegoal]: https://owasp.org/www-project-security-culture/stable/3-Goal_Setting_and_Security_Team_Collaboration/
 [edit0400]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/04-foundations/toc.md
 [issue0400]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-foundations/00-toc
diff --git a/draft/06-design/01-threat-modeling/01-threat-modeling.md b/draft/06-design/01-threat-modeling/01-threat-modeling.md
@@ -29,6 +29,8 @@ The deliverables from threat modeling take various forms including system models
 mitigations or assumptions, meeting notes, and more.
 This may be assembled into a single threat model document; a structured representation of all the information
 that affects the security of an application.
+A good overview of this activity is given in the [Security Culture][culturetm] project section on threat modeling.
+
 In essence, it is a view of the application and its environment through security glasses.
 
 Threat modeling is a process for capturing, organizing, and analyzing all of this information
@@ -267,6 +269,7 @@ then [submit an issue][issue060101] or [edit on GitHub][edit060101].
 [corncards]: https://owasp.org/www-project-cornucopia/
 [ccsnet]: https://cheatsheetseries.owasp.org/cheatsheets/Network_Segmentation_Cheat_Sheet
 [cstm]: https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet
+[culturetm]: https://owasp.org/www-project-security-culture/stable/6-Threat_Modelling/
 [eop]: https://shostack.org/games/elevation-of-privilege
 [edit060101]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/06-design/01-threat-modeling/01-threat-modeling.md
 [issue060101]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2006-design/01-threat-modeling/01-threat-modeling
diff --git a/draft/08-verification/00-toc.md b/draft/08-verification/00-toc.md
@@ -37,6 +37,9 @@ These activities are supported by:
 * Vulnerability management
 * Checklists
 
+Verification is an activity central to the secure software development lifecycle.
+Refer to the [Security Culture][culturetest] project section for the various types of security testing.
+
 Sections:
 
 6.1 [Guides](#verification-guides)  
@@ -58,6 +61,7 @@ Sections:
 
 The OWASP Developer Guide is a community effort; if there is something that needs changing then [submit an issue][issue0800].
 
+[culturetest]: https://owasp.org/www-project-security-culture/stable/7-Security_Testing/
 [issue0800]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2008-verification/00-toc
 [samm]: https://owaspsamm.org/about/
 [sammv]: https://owaspsamm.org/model/verification/
diff --git a/draft/08-verification/04-vulnerability-management/01-defectdojo.md b/draft/08-verification/04-vulnerability-management/01-defectdojo.md
@@ -59,10 +59,12 @@ and with time more integrations with threat modeling tools will become available
 
 #### How to use it
 
-Testing or installing DefectDojo is straight forward using the [installation instructions][defectdojo-install].
-An instance of DefectDojo can be setup using [docker compose][defectdojo-docker] along with the associated scripts
-that handle the dependencies, configure the database, create users and so on.
-Refer to the DefectDojo [documentation][defectdojo-docs] for all the information on alternative deployments,
+Testing or installing DefectDojo is straight forward using the [installation instructions][defectdojo-install];
+the recommended way to run DefectDojo is using a container.
+
+To set up an instance of DefectDojo follow the [docker compose][defectdojo-docker] instructions along with
+the associated scripts that handle the dependencies, configure the database, create users and so on.
+Refer to the DefectDojo [documentation][defectdojo-docs] for further information on alternative deployments,
 setting up, usage and integrations.
 
 #### References
@@ -77,9 +79,9 @@ The OWASP Developer Guide is a community effort; if there is something that need
 then [submit an issue][issue080401] or [edit on GitHub][edit080401].
 
 [defectdojo]: https://www.defectdojo.com/
-[defectdojo-docs]: https://defectdojo.github.io/django-DefectDojo/
+[defectdojo-docs]: https://documentation.defectdojo.com/
 [defectdojo-docker]: https://github.com/DefectDojo/django-DefectDojo/blob/dev/readme-docs/DOCKER.md
-[defectdojo-install]: https://defectdojo.github.io/django-DefectDojo/getting_started/installation/
+[defectdojo-install]: https://documentation.defectdojo.com/getting_started/installation/
 [defectdojo-project]: https://owasp.org/www-project-defectdojo/
 [defectdojo-tools]: https://www.defectdojo.com/integrations
 [edit080401]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/08-verification/04-vulnerability-management/01-defectdojo.md
diff --git a/draft/08-verification/toc.md b/draft/08-verification/toc.md
@@ -48,6 +48,9 @@ These activities are supported by:
 * Vulnerability management
 * Checklists
 
+Verification is an activity central to the secure software development lifecycle.
+Refer to the [Security Culture][culturetest] project section for the various types of security testing.
+
 Sections:
 
 6.1 [Guides](01-guides/toc.md)  
@@ -70,6 +73,7 @@ Sections:
 The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0800] or [edit on GitHub][edit0800].
 
+[culturetest]: https://owasp.org/www-project-security-culture/stable/7-Security_Testing/
 [edit0800]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/08-verification/toc.md
 [issue0800]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2008-verification/00-toc
 [samm]: https://owaspsamm.org/about/
diff --git a/draft/09-training-education/00-toc.md b/draft/09-training-education/00-toc.md
@@ -26,7 +26,13 @@ development, testing, or auditing of the applications and systems.
 In addition a Learning Management System or equivalent should be in place to track
 the employee training and certification processes.
 
-OWASP provides various resources and environments that can help with this security training and education.
+It is important to provide activities for development teams;
+we are all human and our security knowledge can become stale without a plan for refreshing it.
+The [Security Culture][cultureacts] project describes various activities that can help developers
+keep up to date and motivated.
+
+OWASP provides various resources and environments that can help with this security training and education
+ranging from vulnerable applications, training platforms and gamification.
 
 Sections:
 
@@ -48,6 +54,7 @@ Sections:
 
 The OWASP Developer Guide is a community effort; if there is something that needs changing then [submit an issue][issue0900].
 
+[cultureacts]: https://owasp.org/www-project-security-culture/stable/5-Activities/
 [issue0900]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2009-training-education/00-toc
 [sammg]: https://owaspsamm.org/model/governance/
 [sammgeg]: https://owaspsamm.org/model/governance/education-and-guidance/
diff --git a/draft/09-training-education/06-mobile-top-ten.md b/draft/09-training-education/06-mobile-top-ten.md
@@ -73,9 +73,9 @@ but they can be applied at any time during development.
 The Mobile Top 10 was [first released in 2014][mobile10-2014], [updated in 2016][mobile10-2016]
 with the latest version [released in 2024][mobile10-2023].
 
-The list of mobile application [controls][mobile10controls] were originally published in 2011
-as the '[Smartphone Secure Development Guideline][ssdg-2011]'. This was then revised during 2016
-and [released in February 2017][ssdg-2017] to inform the latest set of mobile application controls.
+The list of mobile application [controls][mobile10controls] were originally published in 2011 by [ENISA][enisa]
+as the 'Smartphone Secure Development Guideline'.
+This was then revised during 2016, released in February 2017, to inform the latest set of mobile application controls.
 
 ----
 
@@ -101,7 +101,5 @@ then [submit an issue][issue0906] or [edit on GitHub][edit0906].
 [mobile10-2023]: https://owasp.org/www-project-mobile-top-10/2023-risks/
 [mobile10controls]: https://owasp.org/www-project-mobile-top-10/#div-controls
 [mobile10repo]: https://github.com/OWASP/www-project-mobile-top-10/blob/master/README.md
-[ssdg-2011]: https://www.enisa.europa.eu/publications/smartphone-secure-development-guidelines/at_download/fullReport
-[ssdg-2017]: https://www.enisa.europa.eu/publications/smartphone-secure-development-guidelines-2016
 
 \newpage
diff --git a/draft/09-training-education/toc.md b/draft/09-training-education/toc.md
@@ -37,7 +37,13 @@ development, testing, or auditing of the applications and systems.
 In addition a Learning Management System or equivalent should be in place to track
 the employee training and certification processes.
 
-OWASP provides various resources and environments that can help with this security training and education.
+It is important to provide activities for development teams;
+we are all human and our security knowledge can become stale without a plan for refreshing it.
+The [Security Culture][cultureacts] project describes various activities that can help developers
+keep up to date and motivated.
+
+OWASP provides various resources and environments that can help with this security training and education
+ranging from vulnerable applications, training platforms and gamification.
 
 Sections:  
 
@@ -60,6 +66,7 @@ Sections:
 The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0900] or [edit on GitHub][edit0900].
 
+[cultureacts]: https://owasp.org/www-project-security-culture/stable/5-Activities/
 [edit0900]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/09-training-education/toc.md
 [issue0900]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2009-training-education/00-toc
 [sammg]: https://owaspsamm.org/model/governance/
diff --git a/draft/10-culture-process/01-security-culture.md b/draft/10-culture-process/01-security-culture.md
@@ -21,7 +21,7 @@ at each stage of the application security development lifecycle,
 with the aim of creating and nurturing secure development practices throughout the lifecycle.
 
 The Security Culture guide is an [OWASP incubator project][culturerepo]
-and version 1.0 is available as a [web document][culturedoc].
+and the latest stable version is available as a [web document][culturedoc].
 
 #### What is the OWASP Security Culture project
 
@@ -82,15 +82,15 @@ then [submit an issue][issue1001] or [edit on GitHub][edit1001].
 [issue1001]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2010-culture-process/01-security-culture
 [edit1001]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/10-culture-process/01-security-culture.md
 [culture]: https://owasp.org/www-project-security-culture/
-[cultureacts]: https://owasp.org/www-project-security-culture/v10/5-Activities/
+[cultureacts]: https://owasp.org/www-project-security-culture/stable/5-Activities/
 [culturechamps]: https://owasp.org/www-project-security-culture/stable/4-Security_Champions/
 [culturedoc]: https://owasp.org/www-project-security-culture/stable/
-[culturegoal]: https://owasp.org/www-project-security-culture/v10/3-Goal_Setting_and_Security_Team_Collaboration/
-[culturemetrics]: https://owasp.org/www-project-security-culture/v10/8-Metrics/
+[culturegoal]: https://owasp.org/www-project-security-culture/stable/3-Goal_Setting_and_Security_Team_Collaboration/
+[culturemetrics]: https://owasp.org/www-project-security-culture/stable/8-Metrics/
 [culturerepo]: https://github.com/OWASP/www-project-security-culture
-[culturetest]: https://owasp.org/www-project-security-culture/v10/7-Security_Testing/
-[culturetm]: https://owasp.org/www-project-security-culture/v10/6-Threat_Modelling/
-[culturewhy]: https://owasp.org/www-project-security-culture/v10/2-Why_Add_Security_In_Development_Teams/
+[culturetest]: https://owasp.org/www-project-security-culture/stable/7-Security_Testing/
+[culturetm]: https://owasp.org/www-project-security-culture/stable/6-Threat_Modelling/
+[culturewhy]: https://owasp.org/www-project-security-culture/stable/2-Why_Add_Security_In_Development_Teams/
 [dsodast]: https://owasp.org/www-project-devsecops-guideline/latest/02b-Dynamic-Application-Security-Testing
 [dsoiast]: https://owasp.org/www-project-devsecops-guideline/latest/02c-Interactive-Application-Security-Testing
 [dsosast]: https://owasp.org/www-project-devsecops-guideline/latest/02a-Static-Application-Security-Testing
diff --git a/draft/10-culture-process/02-security-champions/01-security-champions-program.md b/draft/10-culture-process/02-security-champions/01-security-champions-program.md
@@ -21,11 +21,12 @@ Organization and Culture activities within the Governance business function of t
 
 #### Overview
 
-Referring to the OWASP [Security Culture project][culturechamps],
-it can be hard to introduce security across development teams using the application security team alone.
-Information security people do not scale across teams of developers.
+It can be hard to introduce a security mindset across development teams using the application security team alone;
+security engineers do not scale well across teams of developers - there is simply not enough of them.
 A good way to scale security and distribute security across development teams is by creating a security champion role
 and providing a Security Champions program to encourage a community spirit within the organization.
+This will help foster a positive security culture within the organization,
+see the [Security Culture project][culturechamps] on how this can be done with security champions.
 
 Security champions are usually individuals within each development team that show special interest in application security.
 The security champion provides a knowledgeable point of contact between the application security team and development,
@@ -82,7 +83,7 @@ increase the effectiveness of the application security team and improve the secu
 
 * [Security Champions Playbook][scplaybook]
 * OWASP [Security Champions Guide][scguide]
-* OWASP [Security Culture project][culturedoc]
+* OWASP [Security Culture][culturedoc] project
 
 ----
 
diff --git a/draft/12-metrics/00-toc.md b/draft/12-metrics/00-toc.md
@@ -45,11 +45,13 @@ The categories of metrics suggested by SAMM are :
 * Environment metrics: the environment where security efforts take place
 
 There are other metrics, perhaps specific to an individual organization, that can also be collected and acted on.
+The [Security Culture][culturemetrics] project provides various examples of metrics that can be considered.
 
 ----
 
 The OWASP Developer Guide is a community effort; if there is something that needs changing then [submit an issue][issue1200].
 
+[culturemetrics]: https://owasp.org/www-project-security-culture/stable/8-Metrics/
 [issue1200]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2012-metrics/00-toc
 [samm]: https://owaspsamm.org/about/
 [sammg]: https://owaspsamm.org/model/governance/
diff --git a/draft/12-metrics/toc.md b/draft/12-metrics/toc.md
@@ -55,13 +55,15 @@ The categories of metrics suggested by SAMM are :
 * Result metrics: the results of security efforts
 * Environment metrics: the environment where security efforts take place
 
-There are other metrics, sometimes specific to an individual organization, that can also be collected and acted on.
+There are other metrics, perhaps specific to an individual organization, that can also be collected and acted on.
+The [Security Culture][culturemetrics] project provides various examples of metrics that can be considered.
 
 ----
 
 The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue1200] or [edit on GitHub][edit1200].
 
+[culturemetrics]: https://owasp.org/www-project-security-culture/stable/8-Metrics/
 [edit1200]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/12-metrics/toc.md
 [issue1200]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2012-metrics/00-toc
 [samm]: https://owaspsamm.org/about/
diff --git a/release-process.md b/release-process.md
@@ -8,8 +8,8 @@ The pre-release process is semi-automatic, and triggers when the repo is tagged
 To trigger the release this process from within a cloned repo use a tag with an `-RCx` suffix,
 where the number is incremented with each release candidate:
 
-1. tag the release, for example for the first release candidate: `git tag 4.1.4-RC1`
-2. push to the repo, for example: `git push origin 4.1.4-RC1`
+1. tag the release, for example for the first release candidate: `git tag 4.1.6-RC1`
+2. push to the repo, for example: `git push origin 4.1.6-RC1`
 
 The github release workflow will then create the pull-request with the proposed modifications to the release area.
 
@@ -24,8 +24,8 @@ When there are no further changes required then move on to the release process.
 The release process is automatic, and triggers when the repo is tagged with a version number.
 To trigger the release this process from within a cloned repo:
 
-1. tag the release, for example: `git tag 4.1.3`
-2. push to the repo, for example: `git push origin 4.1.3`
+1. tag the release, for example: `git tag 4.1.6`
+2. push to the repo, for example: `git push origin 4.1.6`
 
 The github release workflow then creates the pull request
 with modifications to the release area promoted from the draft area.
