From 35954caea1f5b3922a4e09d0b4dab9e04e3457f8 Mon Sep 17 00:00:00 2001 From: Jon Gadsden Date: Sun, 11 Jan 2026 08:58:42 +0000 Subject: [PATCH 1/2] provide redirect for 01-define-security-requirements --- .github/workflows/ci.yaml | 2 + .github/workflows/pr.yaml | 2 + .github/workflows/release.yaml | 1 + contributing.md | 6 +- .../01-define-security-requirements.md | 81 ------------------- mkdocs.yaml | 3 + 6 files changed, 12 insertions(+), 83 deletions(-) delete mode 100644 docs/en/04-design/02-web-app-checklist/01-define-security-requirements.md diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 60e8ea27..e6d9f2d8 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -106,6 +106,7 @@ jobs: pip install mkdocs pip install mkdocs-material pip install mkdocs-open-in-new-tab + pip install mkdocs-redirects pip install mkdocs-with-pdf - name: Copy contributing tab files @@ -139,6 +140,7 @@ jobs: pip install mkdocs pip install mkdocs-material pip install mkdocs-open-in-new-tab + pip install mkdocs-redirects pip install mkdocs-with-pdf - name: Build check diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 01299610..43534d6d 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -113,6 +113,7 @@ jobs: pip install mkdocs pip install mkdocs-material pip install mkdocs-open-in-new-tab + pip install mkdocs-redirects pip install mkdocs-with-pdf - name: Copy contributing tab files @@ -143,6 +144,7 @@ jobs: pip install mkdocs pip install mkdocs-material pip install mkdocs-open-in-new-tab + pip install mkdocs-redirects pip install mkdocs-with-pdf - name: Build pdf for EN diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index cb9e404e..0e74a8b9 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -28,6 +28,7 @@ jobs: pip install mkdocs pip install mkdocs-material pip install mkdocs-open-in-new-tab + pip install mkdocs-redirects pip install mkdocs-with-pdf - name: Build diff --git a/contributing.md b/contributing.md index da421731..b27790de 100644 --- a/contributing.md +++ b/contributing.md @@ -145,9 +145,10 @@ Test the web document locally before creating / updating a pull request. On Windows install python and then install packages using pip : ```text -python3 -m pip install mkdocs-open-in-new-tab -python3 -m pip install mkdocs-material python3 -m pip install mkdocs +python3 -m pip install mkdocs-material +python3 -m pip install mkdocs-open-in-new-tab +python3 -m pip install mkdocs-redirects python3 -m pip install mkdocs-with-pdf ``` @@ -182,6 +183,7 @@ On Linux or MacOS install the packages using python's pip : pip install mkdocs pip install mkdocs-material pip install mkdocs-open-in-new-tab +pip install mkdocs-redirects pip install mkdocs-with-pdf ``` diff --git a/docs/en/04-design/02-web-app-checklist/01-define-security-requirements.md b/docs/en/04-design/02-web-app-checklist/01-define-security-requirements.md deleted file mode 100644 index 1ed1f4ef..00000000 --- a/docs/en/04-design/02-web-app-checklist/01-define-security-requirements.md +++ /dev/null @@ -1,81 +0,0 @@ -A security requirement is a statement of security functionality that ensures software security is being satisfied. -Security requirements are derived from industry standards, applicable laws, and a history of past vulnerabilities. - -Refer to proactive control [C4: Address Security form the Start][control4] and its [cheatsheets][csproactive-c1] -for more context from the OWASP Top 10 Proactive Controls project, -and use the lists below as suggestions for a checklist that has been tailored for the individual project. - -#### 1. System configuration - -1. Restrict applications, processes and service accounts to the least privileges possible -2. If the application must run with elevated privileges, raise privileges as late as possible, and drop as soon as possible -3. Remove all unnecessary functionality and files -4. Remove test code or any functionality not intended for production, prior to deployment -5. The security configuration store for the application should be available in human readable form to support auditing -6. Isolate development environments from production and provide access only to authorized development and test groups -7. Implement a software change control system to manage and record changes to the code both in development and production -8. Turn off directory listings -9. Prevent accidentally accessible and sensitive pages from appearing in search engines using a robots.txt file, - the X-Robots-Tag response header or a robots html meta tag -10. Disable unnecessary HTTP methods, such as WebDAV extensions. If an extended HTTP method that supports file handling is - required, utilize a well-vetted authentication mechanism -11. Remove unnecessary information from HTTP response headers related to the OS, web-server version and application - frameworks unless implemented to confuse an attacker -12. Ensure the .git, .svn folders or any source control metadata aren't deployed together alongside the application in away - that makes these directly accessible externally or indirectly through the application -13. Do not store passwords, secrets, connection strings, key material, secret management integrations or other sensitive - information in clear text or in any non-cryptographically secure manner on the client, in source code, or build artifacts -14. Remove or restrict access to internal application and system documentation (such as for internal APIs) as this can reveal - backend system or other useful information to attackers -15. Restrict access to files or other resources, including those outside the application's direct control using an allow list - or the equivalent thereof. - -#### 2. Cryptographic practices - -1. Use peer reviewed and open solution cryptographic modules -2. All cryptographic functions used to protect secrets from the application user must be implemented on a trusted system -3. Cryptographic modules must fail securely -4. Ensure all random elements such as numbers, file names, UUID and strings are generated - using the cryptographic module approved random number generator -5. Cryptographic modules used by the application are compliant to FIPS 140-2 or an equivalent standard -6. Establish and utilize a policy and process for how cryptographic keys will be managed -7. Ensure that any secret key is protected from unauthorized access -8. Store keys in a proper secrets vault as described below -9. Use independent keys when multiple keys are required -10. Build support for changing algorithms and keys when needed -11. Build application features to handle a key rotation - -#### 3. File management - -1. Do not pass user supplied data directly to any dynamic include function -2. Require authentication before allowing a file to be uploaded -3. Limit the type of files that can be uploaded to only those types that are needed for business purposes -4. Validate uploaded files are the expected type by checking file headers rather than by file extension -5. Do not save files in the same web context as the application -6. Prevent or restrict the uploading of any file that may be interpreted by the web server. -7. Turn off execution privileges on file upload directories -8. When referencing existing files, use an allow-list of allowed file names and types -9. Do not pass user supplied data into a dynamic redirect -10. Do not pass directory or file paths, use index values mapped to pre-defined list of paths -11. Never send the absolute file path to the client -12. Ensure application files and resources are read-only -13. Scan user uploaded files for viruses and malware - -#### References - -* OWASP [Application Security Verification Standard][asvs] (ASVS) -* OWASP [Mobile Application Security][mas] -* OWASP [Top 10 Proactive Controls][proactive10] - ----- - -The OWASP Developer Guide is a community effort; if there is something that needs changing -then [submit an issue][issue060201] or [edit on GitHub][edit060201]. - -[asvs]: https://owasp.org/www-project-application-security-verification-standard/ -[csproactive-c1]: https://cheatsheetseries.owasp.org/IndexProactiveControls.html#c1-define-security-requirements -[control4]: https://top10proactive.owasp.org/the-top-10/c4-secure-architecture/ -[edit060201]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/02-web-app-checklist/01-define-security-requirements.md -[issue060201]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-design/02-web-app-checklist/01-define-security-requirements -[mas]: https://mas.owasp.org/ -[proactive10]: https://top10proactive.owasp.org/ diff --git a/mkdocs.yaml b/mkdocs.yaml index 34c50563..5b4eabd2 100644 --- a/mkdocs.yaml +++ b/mkdocs.yaml @@ -45,6 +45,9 @@ markdown_extensions: plugins: - open-in-new-tab - search + - redirects: + redirect_maps: + 'en/04-design/02-web-app-checklist/01-define-security-requirements.md': 'en/04-design/02-web-app-checklist/01-secure-by-default.md' nav: - 'Developer Guide': From 668b325e557c863051a52ad1ffb9fdaee7226d15 Mon Sep 17 00:00:00 2001 From: Jon Gadsden Date: Sun, 11 Jan 2026 09:17:07 +0000 Subject: [PATCH 2/2] fix for lychee grumbles in pull requests --- .github/workflows/pr.yaml | 1 + .lycheeignore | 7 +++---- docs/en/03-requirements/03-opencre.md | 10 +++++----- docs/es/03-requirements/03-opencre.md | 10 +++++----- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 43534d6d..09e73c39 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -19,6 +19,7 @@ jobs: uses: lycheeverse/lychee-action@v2.7.0 with: args: >- + --exclude 'github\.com/OWASP/DevGuide/blob/main/docs' --no-progress --max-retries 1 --retry-wait-time 10 diff --git a/.lycheeignore b/.lycheeignore index e89ab73b..d08d67e5 100644 --- a/.lycheeignore +++ b/.lycheeignore @@ -1,8 +1,5 @@ # ignore these false positives from the link checker housekeeper -# some sites that are examples only, no intention of being real -myfriend.site.com/ - # Lockheed Martin has trouble with SSL certificates, temporarily ignore www.lockheedmartin.com @@ -14,7 +11,7 @@ github.com/OWASP/DevGuide/pulls github.com # ignore LINDDUN site because it occasionally times out -www.linddun.org/ +linddun.org/ # automated access to esapi is forbidden mvnrepository.com/artifact/org.owasp.esapi/esapi @@ -36,6 +33,7 @@ owaspsamm.thinkific.com/courses/samm owaspblt.org # mainstream sites that are not worth checking +helm.sh www.exploit-db.com/ www.w3.org/ www.w3schools.com/ @@ -47,6 +45,7 @@ www.oreilly.com www.cve.org www.kali.org www.iso.org +www.opencre.org # don't irritate the US government nvd.nist.gov/ diff --git a/docs/en/03-requirements/03-opencre.md b/docs/en/03-requirements/03-opencre.md index 9dad236a..fa14635d 100644 --- a/docs/en/03-requirements/03-opencre.md +++ b/docs/en/03-requirements/03-opencre.md @@ -88,9 +88,9 @@ The OWASP Developer Guide is a community effort; if there is something that need then [submit an issue][issue0503] or [edit on GitHub][edit0503]. [asvs]: https://owasp.org/www-project-application-security-verification-standard/ -[capecocre]: https://opencre.org/search/CAPEC -[csocre]: https://opencre.org/search/OWASP%20Cheat%20Sheets -[cweocre]: https://opencre.org/search/CWE +[capecocre]: https://www.opencre.org/search/CAPEC +[csocre]: https://www.opencre.org/search/OWASP%20Cheat%20Sheets +[cweocre]: https://www.opencre.org/search/CWE [cwe]: https://cwe.mitre.org/ [cwe1002]: https://www.opencre.org/node/standard/CWE/sectionid/1002 [edit0503]: https://github.com/OWASP/DevGuide/blob/main/docs/en/03-requirements/03-opencre.md @@ -107,5 +107,5 @@ then [submit an issue][issue0503] or [edit on GitHub][edit0503]. [sdlc]: https://owasp.org/www-project-integration-standards/writeups/owasp_in_sdlc/ [spotlight28]: https://www.youtube.com/watch?v=TwNroVARmB0&list=PLUKo5k_oSrfOTl27gUmk2o-NBKvkTGw0T [top10ocre]: https://www.opencre.org/search/OWASP%20Top%2010 -[wstgocre]: https://opencre.org/search/WSTG -[zapocre]: https://opencre.org/search/ZAP +[wstgocre]: https://www.opencre.org/search/WSTG +[zapocre]: https://www.opencre.org/search/ZAP diff --git a/docs/es/03-requirements/03-opencre.md b/docs/es/03-requirements/03-opencre.md index fc8d9e9b..b6f08d5f 100644 --- a/docs/es/03-requirements/03-opencre.md +++ b/docs/es/03-requirements/03-opencre.md @@ -97,9 +97,9 @@ La Guía de Desarrollador OWASP es un esfuerzo comunitario; si hay algo que nece entonces [cree un issue][issue0503] o [edítelo en GitHub][edit0503]. [asvs]: https://owasp.org/www-project-application-security-verification-standard/ -[capecocre]: https://opencre.org/search/CAPEC -[csocre]: https://opencre.org/search/OWASP%20Cheat%20Sheets -[cweocre]: https://opencre.org/search/CWE +[capecocre]: https://www.opencre.org/search/CAPEC +[csocre]: https://www.opencre.org/search/OWASP%20Cheat%20Sheets +[cweocre]: https://www.opencre.org/search/CWE [cwe]: https://cwe.mitre.org/ [cwe1002]: https://www.opencre.org/node/standard/CWE/sectionid/1002 [edit0503]: https://github.com/OWASP/DevGuide/blob/main/docs/es/03-requirements/03-opencre.md @@ -117,5 +117,5 @@ entonces [cree un issue][issue0503] o [edítelo en GitHub][edit0503]. [sdlc]: https://owasp.org/www-project-integration-standards/writeups/owasp_in_sdlc/ [spotlight28]: https://www.youtube.com/watch?v=TwNroVARmB0&list=PLUKo5k_oSrfOTl27gUmk2o-NBKvkTGw0T [top10ocre]: https://www.opencre.org/search/OWASP%20Top%2010 -[wstgocre]: https://opencre.org/search/WSTG -[zapocre]: https://opencre.org/search/ZAP +[wstgocre]: https://www.opencre.org/search/WSTG +[zapocre]: https://www.opencre.org/search/ZAP