release of version 4.1.7

_data/release.yaml

@@ -31,20 +31,20 @@ docs:
 - title: '3.2 Risk profile'
   url: requirements/risk_profile
 
-- title: '3.3 OpenCRE and Integration Standards'
-  url: requirements/opencre_integration_standard
+- title: '3.3 OpenCRE'
+  url: requirements/opencre
 
 - title: '3.4 SecurityRAT'
   url: requirements/security_rat
 
-- title: '3.5 Application Security Verification Standard'
-  url: requirements/application_security_verification_standard
+- title: '3.5 ASVS requirements'
+  url: requirements/asvs
 
-- title: '3.6 Mobile Application Security'
-  url: requirements/mobile_application_security
+- title: '3.6 MAS requirements'
+  url: requirements/mas
 
-- title: '3.7 Security Knowledge Framework'
-  url: requirements/security_knowledge_framework
+- title: '3.7 SKF requirements'
+  url: requirements/skf
 
 - title: '4. Design'
   url: design
@@ -65,7 +65,7 @@ docs:
   url: design/threat_modeling/cornucopia
 
 - title: '4.1.5 LINDDUN GO'
-  url: design/threat_modeling/linddun-go
+  url: design/threat_modeling/linddun_go
 
 - title: '4.1.6 Threat Modeling toolkit'
   url: design/threat_modeling/toolkit
@@ -103,7 +103,7 @@ docs:
 - title: '4.2.10 Checklist: Handle all Errors and Exceptions'
   url: design/web_app_checklist/handle_errors_and_exceptions
 
-- title: '4.3 Mobile application checklist'
+- title: '4.3 MAS checklist'
   url: design/mas_checklist
 
 - title: '5. Implementation'
@@ -136,32 +136,32 @@ docs:
 - title: '5.3 Secure Libraries'
   url: implementation/secure_libraries
 
-- title: '5.3.1 Enterprise Security API library'
+- title: '5.3.1 ESAPI'
   url: implementation/secure_libraries/esapi
 
-- title: '5.3.2 CSRFGuard library'
-  url: implementation/secure_libraries/csrf_guard
+- title: '5.3.2 CSRFGuard'
+  url: implementation/secure_libraries/csrfguard
 
-- title: '5.3.3 OWASP Secure Headers Project'
-  url: implementation/secure_libraries/secure_headers
+- title: '5.3.3 OSHP'
+  url: implementation/secure_libraries/oshp
 
-- title: '5.4 Mobile application weakness enumeration'
-  url: implementation/mas_weakness_enumeration
+- title: '5.4 MASWE'
+  url: implementation/maswe
 
 - title: '6. Verification'
   url: verification
 
 - title: '6.1 Guides'
   url: verification/guides
 
-- title: '6.1.1 Web Security Testing Guide'
-  url: verification/guides/web_security_testing_guide
+- title: '6.1.1 WSTG'
+  url: verification/guides/wstg
 
-- title: '6.1.2 MAS Testing Guide'
-  url: verification/guides/mas_testing_guide
+- title: '6.1.2 MASTG'
+  url: verification/guides/mastg
 
-- title: '6.1.3 Application Security Verification Standard'
-  url: verification/guides/application_security_verification_standard
+- title: '6.1.3 ASVS'
+  url: verification/guides/asvs
 
 - title: '6.2 Tools'
   url: verification/tools
@@ -172,14 +172,14 @@ docs:
 - title: '6.2.2 Amass'
   url: verification/tools/amass
 
-- title: '6.2.3 Offensive Web Testing Framework'
-  url: verification/tools/offensive_web_testing_framework
+- title: '6.2.3 OWTF'
+  url: verification/tools/owtf
 
 - title: '6.2.4 Nettacker'
   url: verification/tools/nettacker
 
-- title: '6.2.5 OWASP Secure Headers Project'
-  url: verification/tools/secure_headers
+- title: '6.2.5 OSHP verification'
+  url: verification/tools/oshp_verification
 
 - title: '6.3 Frameworks'
   url: verification/frameworks
@@ -214,11 +214,11 @@ docs:
 - title: '7.2 Secure Coding Dojo'
   url: training_education/secure_coding_dojo
 
-- title: '7.3 Security Knowledge Framework'
-  url: training_education/security_knowledge_framework
+- title: '7.3 SKF education'
+  url: training_education/skf_education
 
 - title: '7.4 SamuraiWTF'
-  url: training_education/samurai_wtf
+  url: training_education/samuraiwtf
 
 - title: '7.5 OWASP Top 10 project'
   url: training_education/owasp_top_ten
@@ -245,33 +245,33 @@ docs:
   url: culture_building_and_process_maturing/security_champions
 
 - title: '8.2.1 Security champions program'
-  url: culture_building_and_process_maturing/security_champions/security_champions_program
+  url: culture_building_and_process_maturing/security_champions/program
 
 - title: '8.2.2 Security Champions Guide'
-  url: culture_building_and_process_maturing/security_champions/security_champions_guide
+  url: culture_building_and_process_maturing/security_champions/guide
 
 - title: '8.2.3 Security Champions Playbook'
-  url: culture_building_and_process_maturing/security_champions/security_champions_playbook
+  url: culture_building_and_process_maturing/security_champions/playbook
 
-- title: '8.3 Software Assurance Maturity Model'
-  url: culture_building_and_process_maturing/software_assurance_maturity_model
+- title: '8.3 SAMM'
+  url: culture_building_and_process_maturing/samm
 
-- title: '8.4 Application Security Verification Standard'
-  url: culture_building_and_process_maturing/application_security_verification_standard
+- title: '8.4 ASVS process'
+  url: culture_building_and_process_maturing/asvs
 
-- title: '8.5 Mobile Application Security'
-  url: culture_building_and_process_maturing/mobile_application_security
+- title: '8.5 MAS process'
+  url: culture_building_and_process_maturing/mas
 
 - title: '9. Operations'
   url: operation
 
 - title: '9.1 DevSecOps Guideline'
   url: operations/devsecops_guideline
 
-- title: '9.2 Coraza Web Application Firewall'
+- title: '9.2 Coraza WAF'
   url: operations/coraza_waf
 
-- title: '9.3 ModSecurity Web Application Firewall'
+- title: '9.3 ModSecurity WAF'
   url: operations/modsecurity_waf/
 
 - title: '9.4 OWASP CRS'
@@ -286,17 +286,17 @@ docs:
 - title: '11.1 Guides'
   url: security_gap_analysis/guides
 
-- title: '11.1.1 Software Assurance Maturity Model'
-  url: security_gap_analysis/guides/software_assurance_maturity_model
+- title: '11.1.1 SAMM gap analysis'
+  url: security_gap_analysis/guides/samm
 
-- title: '11.1.2 Application Security Verification Standard'
-  url: security_gap_analysis/guides/application_security_verification_standard
+- title: '11.1.2 ASVS gap analysis'
+  url: security_gap_analysis/guides/asvs
 
-- title: '11.1.3 Mobile Application Security'
-  url: security_gap_analysis/guides/mobile_application_security
+- title: '11.1.3 MAS gap analysis'
+  url: security_gap_analysis/guides/mas
 
-- title: '11.2 Bug Logging Tool'
-  url: security_gap_analysis/bug_logging_tool
+- title: '11.2 BLT'
+  url: security_gap_analysis/blt
 
 - title: '12. Appendices'
   url: appendices

release/01-front.md

@@ -18,4 +18,4 @@ permalink:
 
 #### A Guide to Building Secure Web Applications and Web Services
 
-### Release version 4.1.6
+### Release version 4.1.7

release/02-toc.md

@@ -28,9 +28,9 @@ permalink:
 3.2 [Risk profile](#risk-profile)  
 3.3 [OpenCRE](#opencre)  
 3.4 [SecurityRAT](#security-rat)  
-3.5 [Application Security Verification Standard](#application-security-verification-standard)  
-3.6 [Mobile Application Security](#mobile-application-security)  
-3.7 [Security Knowledge Framework](#security-knowledge-framework)  
+3.5 [ASVS requirements](#asvs-requirements)  
+3.6 [MAS requirements](#mas-requirements)  
+3.7 [SKF requirements](#skf-requirements)  
 
 4 **[Design](#design)**  
 4.1 [Threat modeling](#threat-modeling)  
@@ -51,7 +51,7 @@ permalink:
 4.2.8 [Checklist: Protect Data Everywhere](#checklist-protect-data-everywhere)  
 4.2.9 [Checklist: Implement Security Logging and Monitoring](#checklist-implement-security-logging-and-monitoring)  
 4.2.10 [Checklist: Handle all Errors and Exceptions](#checklist-handle-all-errors-and-exceptions)  
-4.3 [Mobile application checklist](#mobile-application-checklist)  
+4.3 [MAS checklist](#mas-checklist)  
 
 5 **[Implementation](#implementation)**  
 5.1 [Documentation](#documentation)  
@@ -63,22 +63,22 @@ permalink:
 5.2.2 [Dependency-Track](#dependency-track)  
 5.2.3 [CycloneDX](#cyclonedx)  
 5.3 [Secure Libraries](#secure-libraries)  
-5.3.1 [Enterprise Security API library](#enterprise-security-api-library)  
-5.3.2 [CSRFGuard library](#csrfguard-library)  
-5.3.3 [OWASP Secure Headers Project](#owasp-secure-headers-project)  
-5.4 [Mobile application weakness enumeration](#mobile-application-weakness-enumeration)  
+5.3.1 [ESAPI](#esapi)  
+5.3.2 [CSRFGuard](#csrfguard)  
+5.3.3 [OSHP](#oshp)  
+5.4 [MASWE](#maswe)  
 
 6 **[Verification](#verification)**  
 6.1 [Guides](#verification-guides)  
-6.1.1 [Web Security Testing Guide](#web-security-testing-guide)  
-6.1.2 [MAS Testing Guide](#mas-testing-guide)  
-6.1.3 [Application Security Verification Standard](#application-security-verification-standard)  
+6.1.1 [WSTG](#wstg)  
+6.1.2 [MASTG](#mastg)  
+6.1.3 [ASVS](#asvs)  
 6.2 [Tools](#verification-tools)  
 6.2.1 [DAST tools](#dast-tools)  
 6.2.2 [Amass](#amass)  
-6.2.3 [Offensive Web Testing Framework](#offensive-web-testing-framework)  
+6.2.3 [OWTF](#owtf)  
 6.2.4 [Nettacker](#nettacker)  
-6.2.5 [OWASP Secure Headers Project](#secure-headers-project)  
+6.2.5 [OSHP verification](#oshp-verification)  
 6.3 [Frameworks](#verification-frameworks)  
 6.3.1 [secureCodeBox](#securecodebox)  
 6.4 [Vulnerability management](#verification-vulnerability-management)  
@@ -91,7 +91,7 @@ permalink:
 7.1.3 [PyGoat](#pygoat)  
 7.1.4 [Security Shepherd](#security-shepherd)  
 7.2 [Secure Coding Dojo](#secure-coding-dojo)  
-7.3 [Security Knowledge Framework](#security-knowledge-framework-training)  
+7.3 [SKF education](#skf-education)  
 7.4 [SamuraiWTF](#samuraiwtf)  
 7.5 [OWASP Top 10 project](#owasp-top-ten-project)  
 7.6 [Mobile Top 10](#mobile-top-ten)  
@@ -105,24 +105,24 @@ permalink:
 8.2.1 [Security champions program](#security-champions-program)  
 8.2.2 [Security Champions Guide](#security-champions-guide)  
 8.2.3 [Security Champions Playbook](#security-champions-playbook)  
-8.3 [Software Assurance Maturity Model](#software-assurance-maturity-model)  
-8.4 [Application Security Verification Standard](#application-security-verification-standard)  
-8.5 [Mobile Application Security](#mobile-application-security)  
+8.3 [SAMM](#samm)  
+8.4 [ASVS process](#asvs-process)  
+8.5 [MAS process](#mas-process)  
 
 9 **[Operations](#operations)**  
 9.1 [DevSecOps Guideline](#devsecops-guideline)  
-9.2 [Coraza Web Application Firewall](#coraza-web-application-firewall)  
-9.3 [ModSecurity Web Application Firewall](#modsecurity-web-application-firewall)  
+9.2 [Coraza WAF](#coraza-waf)  
+9.3 [ModSecurity WAF](#modsecurity-waf)  
 9.4 [OWASP CRS](#owasp-crs)  
 
 10 **[Metrics](#metrics)**  
 
 11 **[Security gap analysis](#security-gap-analysis)**  
 11.1 [Guides](#security-gap-analysis-guides)  
-11.1.1 [Software Assurance Maturity Model](#software-assurance-maturity-model)  
-11.1.2 [Application Security Verification Standard](#application-security-verification-standard)  
-11.1.3 [Mobile Application Security](#mobile-application-security)  
-11.2 [Bug Logging Tool](#bug-logging-tool)  
+11.1.1 [SAMM gap analysis](#samm-gap-analysis)  
+11.1.2 [ASVS gap analysis](#asvs-gap-analysis)  
+11.1.3 [Mobile gap analysis](#mas-gap-analysis)  
+11.2 [BLT](#blt)  
 
 12 **[Appendices](#appendices)**  
 12.1 [Implementation Do's and Don'ts](#implementation-dos-and-donts)  

release/03-introduction.md

@@ -70,8 +70,8 @@ try the [OpenCRE chat][opencrechat] LLM for immediate answers.
 You can think of this guide as a cross-reference source to the many tools and documents that OWASP provide for developers.
 
 Or you can regard the purpose of this guide as answering the question:
- “I am a developer and I need a reference guide to navigate the numerous security tools
- and security activities that I know I should be doing.
+“I am a developer and I need a reference guide to navigate the numerous security tools
+and security activities that I know I should be doing.
 
 Or think of it as a collection of articles that introduce developers to the wide domain of application security.
 

release/04-foundations/01-security-fundamentals.md

@@ -188,9 +188,9 @@ then [submit an issue][issue0401] or [edit on GitHub][edit0401].
 [csxsleaks]: https://cheatsheetseries.owasp.org/cheatsheets/XS_Leaks_Cheat_Sheet
 [csxssevade]: https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet
 [csxxe]: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet
-[issue0401]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-foundations/01-security-fundamentals
 [edit0401]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/04-foundations/01-security-fundamentals.md
 [htmlliving]: https://html.spec.whatwg.org/multipage/
+[issue0401]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-foundations/01-security-fundamentals
 [nistvuln]: https://csrc.nist.gov/glossary/term/vulnerability
 [samm]: https://owaspsamm.org/about/
 [sammd]: https://owaspsamm.org/model/design/

release/04-foundations/02-secure-development.md

@@ -140,7 +140,7 @@ There are many OWASP tools and resources to help build security into the SDLC.
 
 * **Application security testing**: there are various types of security testing that can be automated on pull-request,
    merge or nightlies - or indeed manually but they are most powerful when automated. Commonly there is
-   Static Application Security Testing (SAST), which analyses the code without running it,
+   Static Application Security Testing (SAST), which analyzes the code without running it,
    and Dynamic Application Security Testing (DAST), which applies input to the application while running it in a sandbox
    or other isolated environments.
    Interactive Application Security Testing (IAST) is designed to be run manually as well as being automated,

release/04-foundations/03-security-principles.md

@@ -85,7 +85,7 @@ A security principle in which a person or process is given only the minimum leve
 that is necessary for that person or process to complete an assigned operation.
 This right must be given only for a minimum amount of time that is necessary to complete the operation.
 
-This helps to limits the damage when a system is compromised by minimising the ability of an attacker
+This helps to limits the damage when a system is compromised by minimizing the ability of an attacker
 to escalate privileges both laterally or vertically.
 In order to apply this [principle of least privilege][elp] proper granularity
 of privileges and permissions should be established.

release/04-foundations/05-top-ten.md

@@ -39,7 +39,7 @@ to web applications and seeks to rank them in importance and severity.
 
 The list has changed over time, with some threat types becoming more of a problem to web applications
 and other threats becoming less of a risk as technologies change.
-The [latest version][top10] was issued in 2021 and each category is summarised below.
+The [latest version][top10] was issued in 2021 and each category is summarized below.
 
 Note that there are various 'OWASP Top Ten' projects, for example the 'OWASP Top 10 for Large Language Model Applications',
 so to avoid confusion the context should be noted when referring to these lists.
@@ -109,7 +109,7 @@ a common example of misconfiguration where default accounts and their passwords
 These passwords and accounts are usually well-known and provide an easy way for malicious actors to compromise applications.
 
 Both the [OWASP Top 10 A05:2021][a05] and the linked [OWASP Cheat Sheets][a05cs] provide strategies to establish
-a concerted, repeatable application security configuration process to minimise misconfiguration.
+a concerted, repeatable application security configuration process to minimize misconfiguration.
 
 #### A06:2021 Vulnerable and Outdated Components
 
@@ -123,7 +123,7 @@ making it easy for vulnerable third party software dependencies to be exploited
 Risk [A06 Vulnerable and Outdated Components][a06] underlines the importance of this activity,
 and recommends that fixes and upgrades to the underlying platform, frameworks, and dependencies
 are based on a risk assessment and done in a 'timely fashion'.
-Several tools can used to analyse dependencies and flag vulnerabilities, refer to the [Cheat Sheets][a06cs] for these.
+Several tools can used to analyze dependencies and flag vulnerabilities, refer to the [Cheat Sheets][a06cs] for these.
 
 #### A07:2021 Identification and Authentication Failures
 

release/05-requirements/00-toc.md

@@ -42,9 +42,9 @@ Sections:
 3.2 [Risk profile](#risk-profile)  
 3.3 [OpenCRE](#opencre)  
 3.4 [SecurityRAT](#security-rat)  
-3.5 [Application Security Verification Standard](#application-security-verification-standard)  
-3.6 [Mobile Application Security](#mobile-application-security)  
-3.7 [Security Knowledge Framework](#security-knowledge-framework)  
+3.5 [ASVS requirements)](#asvs-requirements)  
+3.6 [MAS requirements](#mas-requirements)  
+3.7 [SKF requirements](#skf-requirements)  
 
 ----