diff --git a/draft/04-foundations/02-secure-development.md b/draft/04-foundations/02-secure-development.md index d69fdd4d..ee75670b 100644 --- a/draft/04-foundations/02-secure-development.md +++ b/draft/04-foundations/02-secure-development.md @@ -148,7 +148,7 @@ There are many OWASP tools and resources to help build security into the SDLC. #### OWASP training projects -* [API Security Project][api-security] (API Top 10) +* [API Security Project][apisec] (API Top 10) * [Juice Shop][juice] * [Mobile Top 10][mobile10] * [Security Shepherd][sec-shep] @@ -174,7 +174,7 @@ The OWASP Developer Guide is a community effort; if there is something that need then [submit an issue][issue0402] or [edit on GitHub][edit0402]. [amass]: https://owasp.org/www-project-amass/ -[api-security]: https://owasp.org/www-project-api-security/ +[apisec]: https://owasp.org/API-Security [asvs]: https://owasp.org/www-project-application-security-verification-standard/ [cheatproject]: https://owasp.org/www-project-cheat-sheets/ [cornucopia]: https://owasp.org/www-project-cornucopia/ diff --git a/draft/04-foundations/05-top-ten.md b/draft/04-foundations/05-top-ten.md index 81e20330..f9789f73 100644 --- a/draft/04-foundations/05-top-ten.md +++ b/draft/04-foundations/05-top-ten.md @@ -164,7 +164,7 @@ This is a new category introduced in 2021 with a single (for now) [Cheat Sheet][ There are various 'Top 10' projects created by OWASP that, depending on the context, may also be referred to as 'OWASP Top 10'. Here is a list of the stable 'OWASP Top 10' projects: -* [API Security Top 10][api-security] +* [API Security Top 10][apisec] * [Data Security Top 10][data10] * [Low-Code/No-Code Top 10][lcnc10] * [Mobile Top 10][mobile10] @@ -201,7 +201,7 @@ then [submit an issue][issue0405] or [edit on GitHub][edit0405]. [a09cs]: https://cheatsheetseries.owasp.org/IndexTopTen.html#a092021-security-logging-and-monitoring-failures [a10]: https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/ [a10cs]: https://cheatsheetseries.owasp.org/IndexTopTen.html#a102021-server-side-request-forgery-ssrf -[api-security]: https://owasp.org/www-project-api-security/ +[apisec]: https://owasp.org/API-Security [cicd10]: https://owasp.org/www-project-top-10-ci-cd-security-risks/ [cwe284]: https://cwe.mitre.org/data/definitions/284.html [data10]: https://owasp.org/www-project-data-security-top-10/ diff --git a/draft/06-design/00-toc.md b/draft/06-design/00-toc.md index d7929139..737fef99 100644 --- a/draft/06-design/00-toc.md +++ b/draft/06-design/00-toc.md @@ -75,7 +75,7 @@ The OWASP Developer Guide is a community effort; if there is something that need [sammd]: https://owaspsamm.org/model/design/ [sammdsr]: https://owaspsamm.org/model/design/security-requirements/ [sammdsa]: https://owaspsamm.org/model/design/security-architecture/ -[sammdta]: https://owaspsamm.org/model/design/threat-assessment +[sammdta]: https://owaspsamm.org/model/design/threat-assessment/ [spdcs]: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Product_Design_Cheat_Sheet.html \newpage diff --git a/draft/06-design/01-threat-modeling/01-threat-modeling.md b/draft/06-design/01-threat-modeling/01-threat-modeling.md index 1e2d9530..c6f20b94 100644 --- a/draft/06-design/01-threat-modeling/01-threat-modeling.md +++ b/draft/06-design/01-threat-modeling/01-threat-modeling.md @@ -264,7 +264,7 @@ then [submit an issue][issue060101] or [edit on GitHub][edit060101]. [eop]: https://shostack.org/games/elevation-of-privilege [edit060101]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/06-design/01-threat-modeling/01-threat-modeling.md [issue060101]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2006-design/01-threat-modeling/01-threat-modeling -[linddun]: https://www.linddun.org/ +[linddun]: https://linddun.org/ [nist-cvss]: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator [otm]: https://owasp.org/www-project-threat-model/ [pasta]: https://versprite.com/blog/what-is-pasta-threat-modeling/ diff --git a/draft/06-design/toc.md b/draft/06-design/toc.md index 4b80bba7..acadd0d1 100644 --- a/draft/06-design/toc.md +++ b/draft/06-design/toc.md @@ -78,5 +78,5 @@ then [submit an issue][issue0600] or [edit on GitHub][edit0600]. [sammd]: https://owaspsamm.org/model/design/ [sammdsr]: https://owaspsamm.org/model/design/security-requirements/ [sammdsa]: https://owaspsamm.org/model/design/security-architecture/ -[sammdta]: https://owaspsamm.org/model/design/threat-assessment +[sammdta]: https://owaspsamm.org/model/design/threat-assessment/ [spdcs]: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Product_Design_Cheat_Sheet.html diff --git a/draft/07-implementation/03-secure-libraries/01-esapi.md b/draft/07-implementation/03-secure-libraries/01-esapi.md index da6f5498..46270f00 100644 --- a/draft/07-implementation/03-secure-libraries/01-esapi.md +++ b/draft/07-implementation/03-secure-libraries/01-esapi.md @@ -59,7 +59,7 @@ The OWASP Developer Guide is a community effort; if there is something that need then [submit an issue][issue070301] or [edit on GitHub][edit070301]. [bean]: http://beanvalidation.org/ -[csrfguard]: https://owasp.org/www-project-csrfguard +[csrfguard]: https://owasp.org/www-project-csrfguard/ [edit070301]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/07-implementation/03-secure-libraries/01-esapi.md [esapi-docs]: https://www.javadoc.io/doc/org.owasp.esapi/esapi/latest/index.html [esapi-java]: https://mvnrepository.com/artifact/org.owasp.esapi/esapi diff --git a/draft/09-training-education/07-api-top-ten.md b/draft/09-training-education/07-api-top-ten.md index 736c00c2..e7a3bb70 100644 --- a/draft/09-training-education/07-api-top-ten.md +++ b/draft/09-training-education/07-api-top-ten.md @@ -14,11 +14,11 @@ permalink: /draft/training_education/api_top_ten/ ### 7.7 API Top 10 -The OWASP [API Security Project][api-security] (API Top 10) explains strategies and solutions to help the understanding +The OWASP [API Security Project][apisec] (API Top 10) explains strategies and solutions to help the understanding and mitigation of the unique vulnerabilities and security risks of Application Programming Interfaces (APIs). -The [API Top 10][api-security-project] is an OWASP Laboratory Project -which is accessed as a [web based document][api-security-doc]. +The [API Top 10][apisec-project] is an OWASP Laboratory Project +which is accessed as a [web based document][apisec-doc]. #### What is the API Top 10? @@ -41,7 +41,7 @@ as well as a documentation portal for best practices when creating or assessing #### Why use it? Most software projects use APIs in some form or another. -Developers and security engineers should be encouraged to refer to the [API Security Project][api-security] +Developers and security engineers should be encouraged to refer to the [API Security Top 10][apisec] to assist them when acting as security builders, breakers, and defenders for an organization. ---- @@ -59,9 +59,9 @@ then [submit an issue][issue0907] or [edit on GitHub][edit0907]. [api08]: https://owasp.org/API-Security/editions/2023/en/0xa8-security-misconfiguration/ [api09]: https://owasp.org/API-Security/editions/2023/en/0xa9-improper-inventory-management/ [api10]: https://owasp.org/API-Security/editions/2023/en/0xaa-unsafe-consumption-of-apis/ -[api-security]: https://owasp.org/API-Security -[api-security-doc]: https://owasp.org/API-Security/editions/2023/en/0x00-header/ -[api-security-project]: https://owasp.org/www-project-api-security/ +[apisec]: https://owasp.org/API-Security +[apisec-doc]: https://owasp.org/API-Security/editions/2023/en/0x00-header/ +[apisec-project]: https://owasp.org/www-project-api-security/ [edit0907]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/09-training-education/07-api-top-ten.md [issue0907]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=content&template=request.md&title=Update:%2009-training-education/07-api-top-ten diff --git a/draft/09-training-education/08-wrongsecrets.md b/draft/09-training-education/08-wrongsecrets.md index 8881e73c..d8014c8e 100644 --- a/draft/09-training-education/08-wrongsecrets.md +++ b/draft/09-training-education/08-wrongsecrets.md @@ -50,7 +50,7 @@ You can set WrongSecrets up in standalone or in capture the flag (CTF) mode on D Set-up guides for the standalone version are available in the [project README][readme]. -For the CTF, the project also provides [set-up guides][ctf] and a [Helm chart][helm]. +For the CTF, the project also provides [set-up guides][ctf] and a [Helm chart][wrongsecrets-helm]. --- @@ -59,7 +59,7 @@ then [submit an issue][issue0908] or [edit on GitHub][edit0908]. [ctf]: https://github.com/OWASP/wrongsecrets/blob/master/ctf-instructions.md [edit0908]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/09-training-education/08-wrongsecrets.md -[helm]: https://owasp.org/wrongsecrets-ctf-party/ +[wrongsecrets-helm]: https://owasp.org/wrongsecrets-ctf-party/ [heroku]: https://wrongsecrets.herokuapp.com/ [issue0908]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=content&template=request.md&title=Update:%2009-training-education/08-wrongsecrets [readme]: https://github.com/OWASP/wrongsecrets/blob/master/README.md diff --git a/draft/10-culture-process/03-samm.md b/draft/10-culture-process/03-samm.md index 072bffe7..9bbb4c21 100644 --- a/draft/10-culture-process/03-samm.md +++ b/draft/10-culture-process/03-samm.md @@ -77,9 +77,9 @@ then [submit an issue][issue1003] or [edit on GitHub][edit1003]. [sammd]: https://owaspsamm.org/model/design/ [sammfun]: https://owaspsamm.thinkific.com/courses/samm [sammg]: https://owaspsamm.org/model/governance/ -[sammi]: https://owaspsamm.org/model/implementation -[sammo]: https://owaspsamm.org/model/operations -[sammv]: https://owaspsamm.org/model/verification +[sammi]: https://owaspsamm.org/model/implementation/ +[sammo]: https://owaspsamm.org/model/operations/ +[sammv]: https://owaspsamm.org/model/verification/ [samm-project]: https://owasp.org/www-project-samm/ [spotlight09]: https://youtu.be/N0zcZnkH5Wg diff --git a/draft/11-operations/02-coraza.md b/draft/11-operations/02-coraza.md index 916aee9c..1f7828fb 100644 --- a/draft/11-operations/02-coraza.md +++ b/draft/11-operations/02-coraza.md @@ -15,7 +15,7 @@ permalink: /draft/operations/coraza_waf/ ### 9.2 Coraza Web Application Firewall The [OWASP Coraza][coraza-project] project provides a golang enterprise-grade Web Application Firewall framework -that supports the [ModSecurity][modsecurity] seclang language +that supports the [ModSecurity][modsec] seclang language and is completely compatible with the OWASP [Core Rule Set][modcrs] (CRS). Coraza is in active development as an OWASP Production code project, with the first stable version released in September 2021 and several releases since then. @@ -37,7 +37,7 @@ Coraza can be deployed: Web Application Firewalls are usually the first line of defense against HTTP attacks on web applications and servers. The Coraza WAF is widely used for providing this security, especially for cloud applications, -along with the original OWASP [ModSecurity][modsecurity] WAF. +along with the original OWASP [ModSecurity][modsec] WAF. #### How to use Coraza @@ -65,7 +65,7 @@ then [submit an issue][issue1102] or [edit on GitHub][edit1102]. [coraza-wasm]: https://github.com/corazawaf/coraza-proxy-wasm [edit1102]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/11-operations/02-coraza.md [issue1102]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=content&template=request.md&title=Update:%2011-operations/02-coraza -[modcrs]: https://owasp.org/www-project-modsecurity-core-rule-set/ -[modsecurity]: https://owasp.org/www-project-modsecurity/ +[modcrs]: https://coreruleset.org/ +[modsec]: https://owasp.org/www-project-modsecurity/ \newpage diff --git a/draft/11-operations/03-modsecurity.md b/draft/11-operations/03-modsecurity.md index c6a7541e..0687080f 100644 --- a/draft/11-operations/03-modsecurity.md +++ b/draft/11-operations/03-modsecurity.md @@ -14,14 +14,14 @@ permalink: /draft/operations/modsecurity_waf/ ### 9.3 ModSecurity Web Application Firewall -[ModSecurity][modsecurity] is an open source Web Application Firewall (WAF) widely deployed on web servers +[ModSecurity][modsec] is an open source Web Application Firewall (WAF) widely deployed on web servers that has been in continuous development and widespread use since 2002. In 2024 it became an OWASP Production project, supported by the existing leadership and contributors. #### What is ModSecurity? -In January 2024 the [ModSecurity][modsecurity] Web Application Firewall project was [adopted by OWASP][modsecpress], +In January 2024 the [ModSecurity][modsec] Web Application Firewall project was [adopted by OWASP][modsec-press], previously [TrustWave][trustwave] had been the custodian of this project. ModSecurity itself has a long history as an open source project, the first release was in November 2002, and is widely used as a web application firewall for cloud and on-premises web servers. @@ -42,8 +42,8 @@ or deployed within the web server itself, to provide protection against HTTP att The rules applied to the HTTP traffic are provided as configuration to ModSecurity, and these rules allow many different actions to be applied such as blocking traffic, redirecting requests, and many more. -See the documentation for [deploying and running][modsecdocs] ModSecurity, -along with the documentation on configuring ModSecurity with the [Core Rule Set][modcrsdocs]. +See the documentation for [deploying and running][modsec-docs] ModSecurity, +along with the documentation on configuring ModSecurity with the [Core Rule Set][modcrs]. ---- @@ -53,11 +53,10 @@ then [submit an issue][issue1103] or [edit on GitHub][edit1103]. [coraza]: https://coraza.io/ [edit1103]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/11-operations/03-modsecurity.md [issue1103]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=content&template=request.md&title=Update:%2011-operations/03-modsecurity -[modcrs]: https://owasp.org/www-project-modsecurity-core-rule-set/ -[modcrsdocs]: https://coreruleset.org/ -[modsecdocs]: https://www.modsecurity.org/ -[modsecurity]: https://owasp.org/www-project-modsecurity/ -[modsecpress]: https://owasp.org/blog/2024/01/09/ModSecurity.html +[modcrs]: https://coreruleset.org/ +[modsec]: https://owasp.org/www-project-modsecurity/ +[modsec-docs]: https://www.modsecurity.org/ +[modsec-press]: https://owasp.org/blog/2024/01/09/ModSecurity.html [trustwave]: https://www.trustwave.com/ \newpage diff --git a/draft/11-operations/04-modsecurity-crs.md b/draft/11-operations/04-modsecurity-crs.md index 39049ef0..6de1dc92 100644 --- a/draft/11-operations/04-modsecurity-crs.md +++ b/draft/11-operations/04-modsecurity-crs.md @@ -15,12 +15,13 @@ permalink: /draft/operations/modsecurity_core_rule_set/ ### 9.4 ModSecurity Core Rule Set The OWASP ModSecurity [Core Rule Set][modcrs-project] (CRS) project is a set of generic attack detection rules -for use with [ModSecurity][modsecurity] compatible web application firewalls such as [OWASP Coraza][coraza]. -CRS is an OWASP Flagship tool project and can be [downloaded][modcrs-download] for either Apache or IIS/Nginx web servers. +for use with [ModSecurity][modsec] compatible web application firewalls such as [OWASP Coraza][coraza]. +CRS is an OWASP [Flagship tool project][modcrs-project] and can be [downloaded][modcrs-download] +for either Apache or IIS/Nginx web servers. #### What is the Core Rule Set? -The [Core Rule Set][modcrs] (CRS) are attack detection rules for use with [ModSecurity][modsecurity], +The [Core Rule Set][modcrs] (CRS) are attack detection rules for use with [ModSecurity][modsec], [Coraza[coraza] and other ModSecurity compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks with a minimum of false alerts. The CRS provides protection against many common attack categories, including those in the OWASP Top Ten. @@ -35,7 +36,7 @@ for various attacks and malicious traffic is blocked. #### How to use it The use of the Core Rule Set assumes that a ModSecurity, Coraza or compatible WAF has been installed. -Refer to the [Coraza tutorial][coraza-tutorial] or the [ModSecurity][modsecdocs] on how to do this. +Refer to the [Coraza tutorial][coraza-tutorial] or the [ModSecurity][modsec-docs] on how to do this. To get started with CRS refer to the Core Rule Set [installation instructions][modcrs-download]. @@ -51,11 +52,11 @@ then [submit an issue][issue1104] or [edit on GitHub][edit1104]. [coraza-tutorial]: https://coraza.io/docs/tutorials/quick-start/ [edit1104]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/11-operations/04-modsecurity-crs.md [issue1104]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=content&template=request.md&title=Update:%2011-operations/04-modsecurity-crs -[modcrs-project]: https://owasp.org/www-project-modsecurity-core-rule-set/ -[modcrs-download]: https://coreruleset.org/docs/deployment/install/ [modcrs]: https://coreruleset.org/ -[modsecurity]: https://owasp.org/www-project-modsecurity/ -[modsecdocs]: https://www.modsecurity.org/ +[modcrs-download]: https://coreruleset.org/docs/deployment/install/ +[modcrs-project]: https://owasp.org/www-project-modsecurity-core-rule-set/ +[modsec]: https://owasp.org/www-project-modsecurity/ +[modsec-docs]: https://www.modsecurity.org/ [spotlight03]: https://youtu.be/88ZMKpiZbRI \newpage diff --git a/draft/13-security-gap-analysis/01-guides/01-samm.md b/draft/13-security-gap-analysis/01-guides/01-samm.md index 6d741bf8..b192f828 100644 --- a/draft/13-security-gap-analysis/01-guides/01-samm.md +++ b/draft/13-security-gap-analysis/01-guides/01-samm.md @@ -74,9 +74,9 @@ then [submit an issue][issue130101] or [edit on GitHub][edit130101]. [samma]: https://owaspsamm.org/assessment/ [sammd]: https://owaspsamm.org/model/design/ [sammg]: https://owaspsamm.org/model/governance/ -[sammi]: https://owaspsamm.org/model/implementation -[sammo]: https://owaspsamm.org/model/operations -[sammv]: https://owaspsamm.org/model/verification +[sammi]: https://owaspsamm.org/model/implementation/ +[sammo]: https://owaspsamm.org/model/operations/ +[sammv]: https://owaspsamm.org/model/verification/ [samm-project]: https://owasp.org/www-project-samm/ [samwise]: https://github.com/owaspsamm/sammwise [sammy]: https://sammy.codific.com/ diff --git a/draft/13-security-gap-analysis/02-blt.md b/draft/13-security-gap-analysis/02-blt.md index 29706a2a..39c33c07 100644 --- a/draft/13-security-gap-analysis/02-blt.md +++ b/draft/13-security-gap-analysis/02-blt.md @@ -49,14 +49,14 @@ and encourage users/reporters to use the [BLT app][bltapp] and chrome [extension ---- The OWASP Developer Guide is a community effort; if there is something that needs changing -then [submit an issue][issue1102] or [edit on GitHub][edit1102]. +then [submit an issue][issue1302] or [edit on GitHub][edit1302]. [blt]: https://owasp.org/www-project-bug-logging-tool/ [bltchrome]: https://github.com/OWASP/BLT-Extension [bltcore]: https://github.com/OWASP/BLT [bltapp]: https://github.com/OWASP/BLT-Flutter [bltsite]: https://blt.owasp.org/ -[edit1102]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/13-security-gap-analysis/02-blt.md -[issue1102]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=content&template=request.md&title=Update:%2013-security-gap-analysis/02-blt +[edit1302]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/13-security-gap-analysis/02-blt.md +[issue1302]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=content&template=request.md&title=Update:%2013-security-gap-analysis/02-blt \newpage