Add checklist from secure coding practices project

.markdownlint.yaml

@@ -10,7 +10,7 @@ MD013:
   code_blocks: true
   heading_line_length: 80
   headings: true
-  line_length: 120
+  line_length: 125
   stern: true
   strict: false
   tables: true

.wordlist.txt

@@ -275,3 +275,16 @@ JWTs
 PKIX
 JWA
 JWKS
+deserialize
+deserialization
+unicode
+DSS
+GDPR
+PCI
+deserializes
+schemas
+unmanaged
+checksums
+FIPS
+UUID
+NoSQL

_data/draft.yaml

@@ -112,39 +112,36 @@ docs:
 - title: '10.3 Dynamic Application Security Testing (DAST)'
   url: 10-security-testing-validation/03-dast
 
-- title: '20. OWASP Top Ten Proactive Controls checklist'
-  url: 20-proactive-control-checklist/toc
+- title: '11. Checklist'
+  url: 11-checklist/toc
 
-- title: '20.1 Introduction'
-  url: 20-proactive-control-checklist/01-proactive-control-introduction
-
-- title: '20.2 C1: Define Security Requirements'
-  url: 20-proactive-control-checklist/02-define-security-requirements
+- title: '11.1 Checklist: Define Security Requirements'
+  url: 11-checklist/01-define-security-requirements
 
-- title: '20.3 C2: Leverage Security Frameworks and Libraries'
-  url: 20-proactive-control-checklist/03-frameworks-libraries
+- title: '11.2 Checklist: Leverage Security Frameworks and Libraries'
+  url: 11-checklist/02-frameworks-libraries
 
-- title: '20.4 C3: Secure Database Access'
-  url: 20-proactive-control-checklist/04-secure-database-access
+- title: '11.3 Checklist: Secure Database Access'
+  url: 11-checklist/03-secure-database-access
 
-- title: '20.5 C4: Encode and Escape Data'
-  url: 20-proactive-control-checklist/05-encode-escape-data
+- title: '11.4 Checklist: Encode and Escape Data'
+  url: 11-checklist/04-encode-escape-data
 
-- title: '20.6 C5: Validate All Inputs'
-  url: 20-proactive-control-checklist/06-validate-inputs
+- title: '11.5 Checklist: Validate All Inputs'
+  url: 11-checklist/05-validate-inputs
 
-- title: '20.7 C6: Implement Digital Identity'
-  url: 20-proactive-control-checklist/07-digital-identity
+- title: '11.6 Checklist: Implement Digital Identity'
+  url: 11-checklist/06-digital-identity
 
-- title: '20.8 C7: Enforce Access Controls'
-  url: 20-proactive-control-checklist/08-access-controls
+- title: '11.7 Checklist: Enforce Access Controls'
+  url: 11-checklist/07-access-controls
 
-- title: '20.9 C8: Protect Data Everywhere'
-  url: 20-proactive-control-checklist/09-protect-data
+- title: '11.8 Checklist: Protect Data Everywhere'
+  url: 11-checklist/08-protect-data
 
-- title: '20.10 C9: Implement Security Logging and Monitoring'
-  url: 20-proactive-control-checklist/10-security-logging-monitoring
+- title: '11.9 Checklist: Implement Security Logging and Monitoring'
+  url: 11-checklist/09-security-logging-monitoring
 
-- title: '20.11 C10: Handle all Errors and Exceptions'
-  url: 20-proactive-control-checklist/11-handle-errors-exceptions
+- title: '11.10 Checklist: Handle all Errors and Exceptions'
+  url: 11-checklist/10-handle-errors-exceptions
 

draft/00-toc.md

@@ -67,17 +67,16 @@ and so the content is expected to frequently change._
 10.2 [Static Application Security Testing (SAST)](#static-application-security-testing)  
 10.3 [Dynamic Application Security Testing (DAST)](#dynamic-application-security-testing)  
 
-20 **[OWASP Top Ten Proactive Controls checklist](#owasp-top-ten-proactive-controls-checklist)**  
-20.1 [Introduction](#owasp-top-ten-proactive-controls-introduction)  
-20.2 [C1: Define Security Requirements](#c1-define-security-requirements)  
-20.3 [C2: Leverage Security Frameworks and Libraries](#c2-leverage-security-frameworks-and-libraries)  
-20.4 [C3: Secure Database Access](#c3-secure-database-access)  
-20.5 [C4: Encode and Escape Data](#c4-encode-and-escape-data)  
-20.6 [C5: Validate All Inputs](#c5-validate-all-inputs)  
-20.7 [C6: Implement Digital Identity](#c6-implement-digital-identity)  
-20.8 [C7: Enforce Access Controls](#c7-enforce-access-controls)  
-20.9 [C8: Protect Data Everywhere](#c8-protect-data-everywhere)  
-20.10 [C9: Implement Security Logging and Monitoring](#c9-implement-security-logging-and-monitoring)  
-20.11 [C10: Handle all Errors and Exceptions](#c10-handle-all-errors-and-exceptions)  
+10 **[Checklist](#checklist)**  
+11.1 [Checklist: Define Security Requirements](#checklist-define-security-requirements)  
+11.2 [Checklist: Leverage Security Frameworks and Libraries](#checklist-leverage-security-frameworks-and-libraries)  
+11.3 [Checklist: Secure Database Access](#checklist-secure-database-access)  
+11.4 [Checklist: Encode and Escape Data](#checklist-encode-and-escape-data)  
+11.5 [Checklist: Validate All Inputs](#checklist-validate-all-inputs)  
+11.6 [Checklist: Implement Digital Identity](#checklist-implement-digital-identity)  
+11.7 [Checklist: Enforce Access Controls](#checklist-enforce-access-controls)  
+11.8 [Checklist: Protect Data Everywhere](#checklist-protect-data-everywhere)  
+11.9 [Checklist: Implement Security Logging and Monitoring](#checklist-implement-security-logging-and-monitoring)  
+11.10 [Checklist: Handle all Errors and Exceptions](#checklist-handle-all-errors-and-exceptions)  
 
 \newpage

draft/01-audience.md

@@ -43,7 +43,7 @@ to prevent the acquisition or development of insecure software.
 
 ----
 
-The OWASP Developer Guide is a community effort; if you see something that needs changing
+The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue01] or a [pull request][pr] .
 
 [issue01]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2001-audience

draft/02-background.md

@@ -39,7 +39,7 @@ These resources provide greater detail and wider context for the various section
 
 ----
 
-The OWASP Developer Guide is a community effort; if you see something that needs changing
+The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue02] or a [pull request][pr] .
 
 [asvs]: https://owasp.org/www-project-application-security-verification-standard/

draft/04-foundations/01-security-fundamentals.md

@@ -77,7 +77,7 @@ The typical questions that are answered by auditing are "*Who* did *What* *When*
 
 ----
 
-The OWASP Developer Guide is a community effort; if you see something that needs changing
+The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0401] or a [pull request][pr] .
 
 [issue0401]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-foundations/01-security-fundamentals

draft/04-foundations/02-secure-development.md

@@ -170,7 +170,7 @@ There are many OWASP tools and resources to help build security into the SDLC.
 
 ----
 
-The OWASP Developer Guide is a community effort; if you see something that needs changing
+The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0402] or a [pull request][pr] .
 
 [amass]: https://owasp.org/www-project-amass/

draft/04-foundations/03-security-principles.md

@@ -149,7 +149,7 @@ In addition open source components have the benefit of 'many eyes' and are likel
 
 ----
 
-The OWASP Developer Guide is a community effort; if you see something that needs changing
+The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0403] or a [pull request][pr] .
 
 [ancs]: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html

draft/04-foundations/04-crypto-principles.md

@@ -238,7 +238,7 @@ These protocols prevent adversaries from learning the key or forcing their own k
 
 * OWASP Cheat Sheet series
   * [Authentication Cheat Sheet][ancs]
-  * [Authorization_Cheat_Sheet][azcs]
+  * [Authorization_Cheat_Sheet][csaz]
   * [Cryptographic Storage Cheat Sheet][cscs]
   * [Key Management Cheat Sheet][kmcs]
   * [SAML Security Cheat Sheet][sscs]
@@ -247,11 +247,11 @@ These protocols prevent adversaries from learning the key or forcing their own k
 
 ----
 
-The OWASP Developer Guide is a community effort; if you see something that needs changing
+The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0404] or a [pull request][pr] .
 
 [ancs]: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
-[azcs]: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
+[csaz]: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
 [cheat]: https://owasp.org/www-project-cheat-sheets/
 [cscs]: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
 [issue0404]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-foundations/04-crypto-principles

draft/04-foundations/05-top-ten.md

@@ -21,6 +21,13 @@ and the content has yet to be filled in for section 'Top Ten Web Application Sec
 If you would like to contribute then follow the [contributing guidelines][contribute]
 and submit your content for review.
 
+----
+
+The OWASP Developer Guide is a community effort; if there is something that needs changing
+then [submit an issue][issue0405] or a [pull request][pr] .
+
 [contribute]: https://github.com/OWASP/www-project-developer-guide/blob/main/contributing.md
+[issue0405]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-foundations/05-top-ten
+[pr]: https://github.com/OWASP/www-project-developer-guide/pulls
 
 \newpage

draft/05-security-requirements/01-security-requirements.md

@@ -111,7 +111,7 @@ both of which may have a direct impact on the application.
 
 ----
 
-The OWASP Developer Guide is a community effort; if you see something that needs changing
+The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0501] or a [pull request][pr].
 
 [asvs]: https://owasp.org/www-project-application-security-verification-standard/

draft/05-security-requirements/02-threat-modeling.md

@@ -118,34 +118,35 @@ To provide some structure it is useful to start with Shostack's [Four Question F
 
 **1 What are we building**?
 
-As a starting point you need to define the scope of the Threat Model.
-To do that you need to understand the application you are building, examples of helpful techniques are:
+As a starting point the scope of the Threat Model should be defined.
+This will require an understanding of the application that is being built,
+and some examples of inputs for the threat model could be:
 
 * Architecture diagrams
 * Dataflow transitions
 * Data classifications
 
-You will also need to gather people from different roles with sufficient technical and risk awareness
-to agree on the framework to be used during the Threat modeling exercise.
+It is best to gather people from different roles with sufficient technical and risk awareness
+so that they can agree on the framework to be used during the threat modeling exercise.
 
 **2 What can go wrong**?
 
-This is a research activity in which you want to find the main threats that apply to your application.
+This is a research activity to find the main threats that apply to your application.
 There are many ways to approach the question, including open discussion or using a structure to help think it through.
 Techniques that can help include [CIA][cia], [STRIDE][stride], [LINDDUN][linddun],
 [cyber kill chains][chains], [PASTA][pasta], common attack patterns ([CAPEC][capec]) and others.
 
 **3 What are we going to do about that**?
 
-In this phase you turn your findings into specific actions.
+In this phase turn the threat model findings into specific actions.
 Consider the appropriate [remediation](#remediation) for each threat identified.
 
 **4 Did we do a good enough job**?
 
-Finally, carry out a retrospective activity over the work you have done to check
+Finally, carry out a retrospective activity over the work identified to check
 quality, feasibility, progress, or planning.
 
-The OWASP [Threat Modeling Playbook][OTMP] goes into these practicalities in more detail
+The OWASP [Threat Modeling Playbook][tmpb] goes into these practicalities in more detail
 and provides strategies for maintaining threat modeling within an organisation.
 
 #### How to do it
@@ -154,7 +155,7 @@ There is no one process for threat modeling.
 How it is done in practice will vary according to the organisation's culture,
 according to what type of system / application is being modeled
 and according to preferences of the development team itself.
-The various techniques and concepts are discussed in the [Threat Modeling Cheat Sheet][OTMCS]
+The various techniques and concepts are discussed in the [Threat Modeling Cheat Sheet][tmcs]
 and can be summarised:
 
 1. Terminology: try to use standard terms such as actors, trust boundaries, etc as this will help convey these concepts
@@ -216,9 +217,9 @@ then that is a perfectly good choice.
 
 * [Threat Modeling Manifesto](https://www.threatmodelingmanifesto.org/)
 * OWASP [Threat Model project](https://owasp.org/www-project-threat-model/)
-* OWASP [Threat Modeling Cheat Sheet][OTMCS]
-* OWASP [Threat Modeling Playbook (OTMP)][OTMP]
-* OWASP [Attack Surface Analysis Cheat Sheet][ASACS]
+* OWASP [Threat Modeling Cheat Sheet][tmcs]
+* OWASP [Threat Modeling Playbook (OTMP)][tmpb]
+* OWASP [Attack Surface Analysis Cheat Sheet][asacs]
 * OWASP community pages on [Threat Modeling][TM] and the [Threat Modeling Process][TMP]
 * [The Four Question Framework For Threat Modeling](https://youtu.be/Yt0PhyEdZXU) 60 second video
 * Lockheed's [Cyber Kill Chain][chains]
@@ -237,20 +238,20 @@ then that is a perfectly good choice.
 
 ----
 
-The OWASP Developer Guide is a community effort; if you see something that needs changing
+The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0502] or a [pull request][pr] .
 
 [4QFW]: https://github.com/adamshostack/4QuestionFrame
-[ASACS]: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html
+[asacs]: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html
 [capec]: https://capec.mitre.org/
 [chains]: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
 [cia]: https://www.nccoe.nist.gov/publication/1800-25/VolA/index.html
 [issue0502]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2005-security-requirements/02-threat-modeling
 [linddun]: https://www.linddun.org/
 [nist-cvss]: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
 [otm]: https://owasp.org/www-project-threat-model/
-[OTMCS]: https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html
-[OTMP]: https://owasp.org/www-project-threat-modeling-playbook/
+[tmcs]: https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html
+[tmpb]: https://owasp.org/www-project-threat-modeling-playbook/
 [pasta]: https://versprite.com/blog/what-is-pasta-threat-modeling/
 [pr]: https://github.com/OWASP/www-project-developer-guide/pulls
 [PYTM]: https://owasp.org/www-project-pytm/

draft/05-security-requirements/03-risk-profile.md

@@ -94,7 +94,7 @@ Examples:
 
 ----
 
-The OWASP Developer Guide is a community effort; if you see something that needs changing
+The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0503] or a [pull request][pr] .
 
 [cvss]: https://www.first.org/cvss/

draft/06-secure-design/02-secure-coding.md

@@ -329,7 +329,7 @@ Also not exploitable: `{""result"": [{""object"": ""inside an array""}]}"`
 
 ----
 
-The OWASP Developer Guide is a community effort; if you see something that needs changing
+The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0602] or a [pull request][pr] .
 
 [issue0602]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2006-secure-design/02-secure-coding

draft/06-secure-design/03-cryptographic-practices.md

@@ -64,7 +64,7 @@ order: 603
 
 ----
 
-The OWASP Developer Guide is a community effort; if you see something that needs changing
+The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0603] or a [pull request][pr] .
 
 [issue0603]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2006-secure-design/03-cryptographic-practices

draft/06-secure-design/04-application-spoofing.md

@@ -74,7 +74,7 @@ How can it be addressed:
 
 ----
 
-The OWASP Developer Guide is a community effort; if you see something that needs changing
+The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0604] or a [pull request][pr] .
 
 [issue0604]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2006-secure-design/04-application-spoofing

draft/06-secure-design/05-content-security-policy.md

@@ -150,7 +150,7 @@ Setting rules for Android application:
 
 ----
 
-The OWASP Developer Guide is a community effort; if you see something that needs changing
+The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0605] or a [pull request][pr] .
 
 [issue0605]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2006-secure-design/05-content-security-policy

draft/06-secure-design/06-exception-error-handling.md

@@ -132,7 +132,7 @@ which can be used later on by the developer to get into the system without havin
 
 ----
 
-The OWASP Developer Guide is a community effort; if you see something that needs changing
+The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0606] or a [pull request][pr] .
 
 [issue0606]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2006-secure-design/06-exception-error-handling

draft/06-secure-design/07-file-management.md

@@ -56,7 +56,7 @@ order: 607
 
 ----
 
-The OWASP Developer Guide is a community effort; if you see something that needs changing
+The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0607] or a [pull request][pr] .
 
 [issue0607]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2006-secure-design/07-file-management

draft/06-secure-design/08-memory-management.md

@@ -30,7 +30,7 @@ order: 608
 
 ----
 
-The OWASP Developer Guide is a community effort; if you see something that needs changing
+The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0608] or a [pull request][pr] .
 
 [issue0608]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2006-secure-design/08-memory-management

draft/07-container-security/02-image-security.md

@@ -130,7 +130,7 @@ Image security, host security, client security, daemon security, runtime securit
 
 ----
 
-The OWASP Developer Guide is a community effort; if you see something that needs changing
+The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0702] or a [pull request][pr] .
 
 [issue0702]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2007-container-security/02-image-security

draft/08-open-source-software/01-open-source-software.md

@@ -106,7 +106,7 @@ We realise it could be challenging, but if feasible, maintain a list of approved
 
 ----
 
-The OWASP Developer Guide is a community effort; if you see something that needs changing
+The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0801] or a [pull request][pr] .
 
 [issue0801]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2008-open-source-software/01-open-source-software

draft/09-secure-environment/02-system-hardening.md

@@ -55,7 +55,7 @@ order: 902
 
 ----
 
-The OWASP Developer Guide is a community effort; if you see something that needs changing
+The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0902] or a [pull request][pr] .
 
 [issue0902]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2009-secure-environment/02-system-hardening