Merge pull request #271 from andreashappe/patch-1

andreashappe · web-flow · commit dbdebcab3054 · 2024-09-05T12:11:18.000+02:00
Update to new OWASP Top 10 Proactive Controls
diff --git a/.wordlist.txt b/.wordlist.txt
@@ -506,4 +506,5 @@ WHATWG
 OpenCRE
 opencre
 br
-
+Andreas
+Happe
diff --git a/draft/04-foundations/03-security-principles.md b/draft/04-foundations/03-security-principles.md
@@ -3,7 +3,7 @@
 title: Principles of Security
 layout: col-document
 tags: OWASP Developer Guide
-contributors: Jon Gadsden, Johan Sydseter
+contributors: Jon Gadsden, Johan Sydseter, Andreas Happe
 document: OWASP Developer Guide
 order: 403
 permalink: /draft/foundations/security_principles/
@@ -187,11 +187,12 @@ and are therefore likely to be even more secure.
   * [Authentication Cheat Sheet][csauthn]
   * [Authorization Cheat Sheet][csauthz]
   * [Secure Product Design Cheat Sheet][spdcs]
+* OWASP Top 10 Proactive Controls
+  * [C5: Secure by Default Configurations](https://top10proactive.owasp.org/the-top-10/c5-secure-by-default/)
 * Other
   * [Compartmentalization (information security)](https://en.wikipedia.org/wiki/Compartmentalization_(information_security)),
 (Wikipedia)
   * [Least Functionality](https://csf.tools/reference/nist-sp-800-53/r5/cm/cm-7/), (NIST)
-  * [Secure by Default](https://en.wikipedia.org/wiki/Secure_by_default), (Wikipedia)
   * [Security by Design](https://pubs.opengroup.org/security/o-esa/#_Toc291061712), (Open Group)
   * [Usability and Manageability](https://pubs.opengroup.org/security/o-esa/#_Toc291061714), (Open Group)
 
diff --git a/draft/05-requirements/00-toc.md b/draft/05-requirements/00-toc.md
@@ -3,7 +3,7 @@
 title: Requirements
 layout: col-document
 tags: OWASP Developer Guide
-contributors: Jon Gadsden
+contributors: Jon Gadsden, Andreas Happe
 document: OWASP Developer Guide
 order:
 permalink:
@@ -16,7 +16,7 @@ permalink:
 
 ## 3. Requirements
 
-Referring to the OWASP [Top Ten Proactive Controls][control1], security requirements are statements of
+Security requirements are statements of
 security functionality that ensure the different security properties of a software application are being satisfied.
 Security requirements are derived from industry standards, applicable laws, and a history of past vulnerabilities.
 Security requirements define new features or additions to existing features to solve a specific security problem
@@ -50,7 +50,6 @@ Sections:
 
 The OWASP Developer Guide is a community effort; if there is something that needs changing then [submit an issue][issue0500].
 
-[control1]: https://owasp.org/www-project-proactive-controls/v3/en/c1-security-requirements
 [issue0500]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2005-requirements/00-toc
 [samm]: https://owaspsamm.org/about/
 [sammd]: https://owaspsamm.org/model/design/
diff --git a/draft/05-requirements/01-requirements.md b/draft/05-requirements/01-requirements.md
@@ -3,7 +3,7 @@
 title: Requirements in Practice
 layout: col-document
 tags: OWASP Developer Guide
-contributors: Jon Gadsden
+contributors: Jon Gadsden, Andreas Happe
 document: OWASP Developer Guide
 order: 501
 permalink: /draft/requirements/requirements_in_practice/
@@ -37,11 +37,6 @@ but there is no wrong time to consider these security requirements and add new o
 
 #### Software requirements
 
-The OWASP [Top Ten Proactive Controls][proactive10] describes the most important categories of controls
-that architects and developers should include in every project.
-At the head of the list of controls is [C1: Define Security Requirements][control1]
-and this reflects the importance of software security requirements: without them the development will not be secure.
-
 Defining security requirements can be daunting at times,
 for example they may reference cryptographic techniques that can be misapplied,
 but it is perfectly acceptable to state these requirements in everyday language.
@@ -120,7 +115,6 @@ then [submit an issue][issue0501] or [edit on GitHub][edit0501].
 
 [asvs]: https://owasp.org/www-project-application-security-verification-standard/
 [csabuse]: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet
-[control1]: https://owasp.org/www-project-proactive-controls/v3/en/c1-security-requirements
 [issue0501]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2005-requirements/01-requirements
 [mas]: https://mas.owasp.org/
 [edit0501]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/05-requirements/01-requirements.md
diff --git a/draft/05-requirements/toc.md b/draft/05-requirements/toc.md
@@ -3,7 +3,7 @@
 title: Requirements
 layout: col-document
 tags: OWASP Developer Guide
-contributors: Jon Gadsden
+contributors: Jon Gadsden, Andreas Happe
 document: OWASP Developer Guide
 order: 500
 permalink: /draft/requirements/
@@ -26,12 +26,6 @@ permalink: /draft/requirements/
 
 ## 3. Requirements
 
-Referring to the OWASP [Top Ten Proactive Controls][control1], security requirements are statements of
-security functionality that ensure the different security properties of a software application are being satisfied.
-Security requirements are derived from industry standards, applicable laws, and a history of past vulnerabilities.
-Security requirements define new features or additions to existing features to solve a specific security problem
-or eliminate potential vulnerabilities.
-
 Security requirements also provide a foundation of vetted security functionality for an application.
 Instead of creating a custom approach to security for every application,
 standard security requirements allow developers to reuse the definition of security controls and best practices;
@@ -61,7 +55,6 @@ Sections:
 The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0500] or [edit on GitHub][edit0500].
 
-[control1]: https://owasp.org/www-project-proactive-controls/v3/en/c1-security-requirements
 [edit0500]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/05-requirements/toc.md
 [issue0500]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2005-requirements/00-toc
 [samm]: https://owaspsamm.org/about/
diff --git a/draft/06-design/02-web-app-checklist/01-define-security-requirements.md b/draft/06-design/02-web-app-checklist/01-define-security-requirements.md
@@ -3,7 +3,7 @@
 title: Define Security Requirements Checklist
 layout: col-document
 tags: OWASP Developer Guide
-contributors: Jon Gadsden
+contributors: Jon Gadsden, Andreas Happe
 document: OWASP Developer Guide
 order: 621
 permalink: /draft/design/web_app_checklist/define_security_requirements/
@@ -17,7 +17,7 @@ permalink: /draft/design/web_app_checklist/define_security_requirements/
 A security requirement is a statement of security functionality that ensures software security is being satisfied.
 Security requirements are derived from industry standards, applicable laws, and a history of past vulnerabilities.
 
-Refer to proactive control [C1: Define Security Requirements][control1] and its [cheatsheets][csproactive-c1]
+Refer to proactive control [C4: Address Security form the Start][control4] and its [cheatsheets][csproactive-c1]
 for more context from the OWASP Top 10 Proactive Controls project,
 and use the lists below as suggestions for a checklist that has been tailored for the individual project.
 
@@ -75,10 +75,10 @@ then [submit an issue][issue060201] or [edit on GitHub][edit060201].
 
 [asvs]: https://owasp.org/www-project-application-security-verification-standard/
 [csproactive-c1]: https://cheatsheetseries.owasp.org/IndexProactiveControls.html#c1-define-security-requirements
-[control1]: https://owasp.org/www-project-proactive-controls/v3/en/c1-security-requirements
+[control4]: https://top10proactive.owasp.org/the-top-10/c4-secure-architecture/
 [edit060201]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/06-design/02-web-app-checklist/01-define-security-requirements.md
 [issue060201]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2006-design/02-web-app-checklist/01-define-security-requirements
 [mas]: https://mas.owasp.org/
-[proactive10]: https://owasp.org/www-project-proactive-controls/
+[proactive10]: https://top10proactive.owasp.org/
 
 \newpage
diff --git a/draft/06-design/02-web-app-checklist/02-frameworks-libraries.md b/draft/06-design/02-web-app-checklist/02-frameworks-libraries.md
@@ -3,7 +3,7 @@
 title: Leverage Security Frameworks and Libraries Checklist
 layout: col-document
 tags: OWASP Developer Guide
-contributors: Jon Gadsden
+contributors: Jon Gadsden, Andreas Happe
 document: OWASP Developer Guide
 order: 622
 permalink: /draft/design/web_app_checklist/frameworks_libraries/
@@ -17,7 +17,7 @@ permalink: /draft/design/web_app_checklist/frameworks_libraries/
 Secure coding libraries and software frameworks with embedded security help software developers guard against
 security-related design and implementation flaws.
 
-Refer to proactive control [C2: Leverage Security Frameworks and Libraries][control2]
+Refer to proactive control [C4: Address Security from the Start][control4]
 and its [cheatsheets][csproactive-c2] for more context from the OWASP Top 10 Proactive Controls project.
 
 For technology specific checklists refer to the appropriate OWASP Cheat Sheets:
@@ -99,10 +99,10 @@ then [submit an issue][issue060202] or [edit on GitHub][edit060202].
 [cswebservice]: https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet
 [csxml]: https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet
 [csproactive-c2]: https://cheatsheetseries.owasp.org/IndexProactiveControls.html#c2-leverage-security-frameworks-and-libraries
-[control2]: https://owasp.org/www-project-proactive-controls/v3/en/c2-leverage-security-frameworks-libraries
+[control4]: https://top10proactive.owasp.org/the-top-10/c4-secure-architecture/
 [dependency]: https://owasp.org/www-project-dependency-check/
 [edit060202]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/06-design/02-web-app-checklist/02-frameworks-libraries.md
 [issue060202]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2006-design/02-web-app-checklist/02-frameworks-libraries
-[proactive10]: https://owasp.org/www-project-proactive-controls/
+[proactive10]: https://top10proactive.owasp.org/
 
 \newpage
diff --git a/draft/06-design/02-web-app-checklist/03-secure-database-access.md b/draft/06-design/02-web-app-checklist/03-secure-database-access.md
@@ -3,7 +3,7 @@
 title: Secure Database Access Checklist
 layout: col-document
 tags: OWASP Developer Guide
-contributors: Jon Gadsden
+contributors: Jon Gadsden, Andreas Happe
 document: OWASP Developer Guide
 order: 623
 permalink: /draft/design/web_app_checklist/secure_database_access/
@@ -16,7 +16,7 @@ permalink: /draft/design/web_app_checklist/secure_database_access/
 
 Ensure that access to all data stores is secure, including both relational databases and NoSQL databases.
 
-Refer to proactive control [C3: Secure Database Access][control3] and its [cheatsheets][csproactive-c3]
+Refer to proactive control [C3: Validate all Input & Handle Exceptions][control3] and its [cheatsheets][csproactive-c3]
 for more context from the OWASP Top 10 Proactive Controls project,
 and use the list below as suggestions for a checklist that has been tailored for the individual project.
 
@@ -58,11 +58,11 @@ The OWASP Developer Guide is a community effort; if there is something that need
 then [submit an issue][issue060203] or [edit on GitHub][edit060203].
 
 [csproactive-c3]: https://cheatsheetseries.owasp.org/IndexProactiveControls.html#c3-secure-database-access
-[control3]: https://owasp.org/www-project-proactive-controls/v3/en/c3-secure-database
+[control3]: https://top10proactive.owasp.org/the-top-10/c3-validate-input-and-handle-exceptions/
 [csdb]: https://cheatsheetseries.owasp.org/cheatsheets/Database_Security_Cheat_Sheet
 [csquery]: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet
 [edit060203]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/06-design/02-web-app-checklist/03-secure-database-access.md
 [issue060203]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2006-design/02-web-app-checklist/03-secure-database-access
-[proactive10]: https://owasp.org/www-project-proactive-controls/
+[proactive10]: https://top10proactive.owasp.org/
 
 \newpage
diff --git a/draft/06-design/02-web-app-checklist/04-encode-escape-data.md b/draft/06-design/02-web-app-checklist/04-encode-escape-data.md
@@ -3,7 +3,7 @@
 title: Encode and Escape Data Checklist
 layout: col-document
 tags: OWASP Developer Guide
-contributors: Jon Gadsden
+contributors: Jon Gadsden, Andreas Happe
 document: OWASP Developer Guide
 order: 624
 permalink: /draft/design/web_app_checklist/encode_escape_data/
@@ -21,7 +21,7 @@ The target system may be another software component or it may be reflected back
 such as operating system commands,
 so encoding and escaping output data helps to provide defense in depth for the system as a whole.
 
-Refer to proactive control [C4: Encode and Escape Data][control4] and its [cheatsheets][csproactive-c4]
+Refer to proactive control [C3: Validate all Input & Handle Exceptions][control3] and its [cheatsheets][csproactive-c4]
 for more context from the OWASP Top 10 Proactive Controls project,
 and use the list below as suggestions for a checklist that has been tailored for the individual project.
 
@@ -55,11 +55,11 @@ The OWASP Developer Guide is a community effort; if there is something that need
 then [submit an issue][issue060204] or [edit on GitHub][edit060204].
 
 [csproactive-c4]: https://cheatsheetseries.owasp.org/IndexProactiveControls.html#c4-encode-and-escape-data
-[control4]: https://owasp.org/www-project-proactive-controls/v3/en/c4-encode-escape-data
+[control3]: https://top10proactive.owasp.org/the-top-10/c3-validate-input-and-handle-exceptions/
 [edit060204]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/06-design/02-web-app-checklist/04-encode-escape-data.md
 [encoder]: https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
 [ipcs]: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet
 [issue060204]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2006-design/02-web-app-checklist/04-encode-escape-data
-[proactive10]: https://owasp.org/www-project-proactive-controls/
+[proactive10]: https://top10proactive.owasp.org/
 
 \newpage
diff --git a/draft/06-design/02-web-app-checklist/05-validate-inputs.md b/draft/06-design/02-web-app-checklist/05-validate-inputs.md
@@ -3,7 +3,7 @@
 title: Validate All Inputs Checklist
 layout: col-document
 tags: OWASP Developer Guide
-contributors: Jon Gadsden
+contributors: Jon Gadsden, Andreas Happe
 document: OWASP Developer Guide
 order: 625
 permalink: /draft/design/web_app_checklist/validate_inputs/
@@ -20,7 +20,7 @@ may enter a software application or system component.
 It is vital that input validation is performed to provide the starting point for a secure application or system.
 Without input validation the software application/system will continue to be vulnerable to new and varied attacks.
 
-Refer to proactive control [C5: Validate All Inputs][control5] and its [cheatsheets][csproactive-c5]
+Refer to proactive control [C3: Validate All Input & Handle Exceptions][control3] and its [cheatsheets][csproactive-c5]
 for more context from the OWASP Top 10 Proactive Controls project,
 and use the list below as suggestions for a checklist that has been tailored for the individual project.
 
@@ -70,11 +70,11 @@ then [submit an issue][issue060205] or [edit on GitHub][edit060205].
 [^SCP1]: Secure Coding Practices checklist
 
 [csproactive-c5]: https://cheatsheetseries.owasp.org/IndexProactiveControls.html#c5-validate-all-inputs
-[control5]: https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs
+[control3]: https://top10proactive.owasp.org/the-top-10/c3-validate-input-and-handle-exceptions/
 [ivcs]: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet
 [edit060205]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/06-design/02-web-app-checklist/05-validate-inputs.md
 [issue060205]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2006-design/02-web-app-checklist/05-validate-inputs
-[proactive10]: https://owasp.org/www-project-proactive-controls/
+[proactive10]: https://top10proactive.owasp.org
 [sanitizer]: https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer
 
 \newpage
diff --git a/draft/06-design/02-web-app-checklist/06-digital-identity.md b/draft/06-design/02-web-app-checklist/06-digital-identity.md
@@ -3,7 +3,7 @@
 title: Implement Digital Identity Checklist
 layout: col-document
 tags: OWASP Developer Guide
-contributors: Jon Gadsden
+contributors: Jon Gadsden, Andreas Happe
 document: OWASP Developer Guide
 order: 626
 permalink: /draft/design/web_app_checklist/digital_identity/
@@ -18,7 +18,7 @@ permalink: /draft/design/web_app_checklist/digital_identity/
 Session management is a process by which a server maintains the state of the users authentication
 so that the user may continue to use the system without re-authenticating.
 
-Refer to proactive control [C6: Implement Digital Identity][control6] and its [cheatsheets][csproactive-c6]
+Refer to proactive control [C7: Implement Digital Identity][control7] and its [cheatsheets][csproactive-c6]
 for more context from the OWASP Top 10 Proactive Controls project,
 and use the list below as suggestions for a checklist that has been tailored for the individual project.
 
@@ -105,7 +105,7 @@ The OWASP Developer Guide is a community effort; if there is something that need
 then [submit an issue][issue060206] or [edit on GitHub][edit060206].
 
 [csproactive-c6]: https://cheatsheetseries.owasp.org/IndexProactiveControls.html#c6-implement-digital-identity
-[control6]: https://owasp.org/www-project-proactive-controls/v3/en/c6-digital-identity
+[control7]: https://top10proactive.owasp.org/the-top-10/c7-implement-digital-identity/
 [csauthn]: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet
 [csmfa]: https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet
 [cspass]: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet
@@ -114,7 +114,7 @@ then [submit an issue][issue060206] or [edit on GitHub][edit060206].
 [csquestions]: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet
 [edit060206]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/06-design/02-web-app-checklist/06-digital-identity.md
 [issue060206]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2006-design/02-web-app-checklist/06-digital-identity
-[proactive10]: https://owasp.org/www-project-proactive-controls/
+[proactive10]: https://top10proactive.owasp.org
 [tls]: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet
 
 \newpage
diff --git a/draft/06-design/02-web-app-checklist/07-access-controls.md b/draft/06-design/02-web-app-checklist/07-access-controls.md
@@ -3,7 +3,7 @@
 title: Enforce Access Controls Checklist
 layout: col-document
 tags: OWASP Developer Guide
-contributors: Jon Gadsden
+contributors: Jon Gadsden, Andreas Happe
 document: OWASP Developer Guide
 order: 627
 permalink: /draft/design/web_app_checklist/access_controls/
@@ -17,7 +17,7 @@ permalink: /draft/design/web_app_checklist/access_controls/
 Access Control or [Authorization][csauthz] is the process of granting or denying specific requests
 from a user, program, or process.
 
-Refer to proactive control [C7: Enforce Access Controls][control7] and its [cheatsheets][csproactive-c7]
+Refer to proactive control [C1: Implement Access Controls][control1] and its [cheatsheets][csproactive-c7]
 for more context from the OWASP Top 10 Proactive Controls project,
 and use the list below as suggestions for a checklist that has been tailored for the individual project.
 
@@ -54,10 +54,10 @@ The OWASP Developer Guide is a community effort; if there is something that need
 then [submit an issue][issue060207] or [edit on GitHub][edit060207].
 
 [csproactive-c7]: https://cheatsheetseries.owasp.org/IndexProactiveControls.html#c7-enforce-access-controls
-[control7]: https://owasp.org/www-project-proactive-controls/v3/en/c7-enforce-access-controls
+[control1]: https://top10proactive.owasp.org/the-top-10/c1-accesscontrol/
 [csauthz]: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet
 [edit060207]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/06-design/02-web-app-checklist/07-access-controls.md
 [issue060207]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2006-design/02-web-app-checklist/07-access-controls
-[proactive10]: https://owasp.org/www-project-proactive-controls/
+[proactive10]: https://top10proactive.owasp.org/
 
 \newpage
diff --git a/draft/06-design/02-web-app-checklist/08-protect-data.md b/draft/06-design/02-web-app-checklist/08-protect-data.md
diff --git a/draft/06-design/02-web-app-checklist/09-logging-monitoring.md b/draft/06-design/02-web-app-checklist/09-logging-monitoring.md
diff --git a/draft/06-design/02-web-app-checklist/10-handle-errors-exceptions.md b/draft/06-design/02-web-app-checklist/10-handle-errors-exceptions.md
diff --git a/draft/07-implementation/01-documentation/01-proactive-controls.md b/draft/07-implementation/01-documentation/01-proactive-controls.md

-Original file line number
+Diff line change
 OpenCRE
 opencre
 br
+-
 +Andreas
 +Happe