diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 76b88c5d..a9f28b5e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,8 +12,8 @@ updates: patterns: - "*" update-types: - - "minor" - "patch" + - "minor" security-update: applies-to: security-updates patterns: diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 7a01ec42..319258d4 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -20,10 +20,10 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout markdown - uses: actions/checkout@v6.0.1 + uses: actions/checkout@v6.0.2 - name: Link Checker - uses: lycheeverse/lychee-action@v2.7.0 + uses: lycheeverse/lychee-action@v2.8.0 with: args: >- --no-progress @@ -42,7 +42,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout markdown - uses: actions/checkout@v6.0.1 + uses: actions/checkout@v6.0.2 - name: Lint markdown uses: DavidAnson/markdownlint-cli2-action@v22.0.0 @@ -58,22 +58,22 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout markdown - uses: actions/checkout@v6.0.1 + uses: actions/checkout@v6.0.2 - name: Spell check EN language - uses: rojopolis/spellcheck-github-actions@0.56.0 + uses: rojopolis/spellcheck-github-actions@0.58.0 with: config_path: .spellcheck-en.yaml - name: Spell check ES language - uses: rojopolis/spellcheck-github-actions@0.56.0 + uses: rojopolis/spellcheck-github-actions@0.58.0 with: config_path: .spellcheck-es.yaml # rojopolis/spellcheck-github-actions does not support PT-BR, # only PT, and PT-BR is too different to pass a PT spellcheck - name: Set up Python for PT-BR - uses: actions/setup-python@v6.1.0 + uses: actions/setup-python@v6.2.0 with: python-version: '3.10' @@ -93,10 +93,10 @@ jobs: needs: [md_linter, spell_checker] steps: - name: Checkout markdown - uses: actions/checkout@v6.0.1 + uses: actions/checkout@v6.0.2 - name: Install python - uses: actions/setup-python@v6.1.0 + uses: actions/setup-python@v6.2.0 with: python-version: 3.x @@ -127,10 +127,10 @@ jobs: needs: [md_linter, spell_checker] steps: - name: Checkout markdown - uses: actions/checkout@v6.0.1 + uses: actions/checkout@v6.0.2 - name: Install python - uses: actions/setup-python@v6.1.0 + uses: actions/setup-python@v6.2.0 with: python-version: 3.x diff --git a/.github/workflows/housekeeping.yaml b/.github/workflows/housekeeping.yaml index 5323c540..cf75b1ea 100644 --- a/.github/workflows/housekeeping.yaml +++ b/.github/workflows/housekeeping.yaml @@ -25,7 +25,7 @@ jobs: keep_minimum_runs: 10 - name: Delete unused workflows - uses: otto-de/purge-deprecated-workflow-runs@v4.0.2 + uses: otto-de/purge-deprecated-workflow-runs@v4.0.3 with: token: ${{ github.token }} @@ -34,10 +34,10 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout markdown - uses: actions/checkout@v6.0.1 + uses: actions/checkout@v6.0.2 - name: Link Checker - uses: lycheeverse/lychee-action@v2.7.0 + uses: lycheeverse/lychee-action@v2.8.0 with: # skip the jekyll files under '_includes' directory, check all other directories args: >- @@ -61,7 +61,7 @@ jobs: steps: - name: Tidy stale PRs and issues - uses: actions/stale@v10.1.1 + uses: actions/stale@v10.2.0 with: days-before-issue-stale: 183 days-before-issue-close: -1 diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index b3d51e6e..3e038d67 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -13,10 +13,10 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout markdown - uses: actions/checkout@v6.0.1 + uses: actions/checkout@v6.0.2 - name: Link Checker - uses: lycheeverse/lychee-action@v2.7.0 + uses: lycheeverse/lychee-action@v2.8.0 with: args: >- --exclude 'github\.com/OWASP/DevGuide/blob/main/docs' @@ -36,7 +36,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout markdown - uses: actions/checkout@v6.0.1 + uses: actions/checkout@v6.0.2 - name: Lint markdown uses: DavidAnson/markdownlint-cli2-action@v22.0.0 @@ -52,10 +52,10 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout markdown - uses: actions/checkout@v6.0.1 + uses: actions/checkout@v6.0.2 - name: Spell check EN language - uses: rojopolis/spellcheck-github-actions@0.56.0 + uses: rojopolis/spellcheck-github-actions@0.58.0 with: config_path: .spellcheck-en.yaml @@ -64,10 +64,10 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout markdown - uses: actions/checkout@v6.0.1 + uses: actions/checkout@v6.0.2 - name: Spell check ES language - uses: rojopolis/spellcheck-github-actions@0.56.0 + uses: rojopolis/spellcheck-github-actions@0.58.0 with: config_path: .spellcheck-es.yaml @@ -76,12 +76,12 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout markdown - uses: actions/checkout@v6.0.1 + uses: actions/checkout@v6.0.2 # rojopolis/spellcheck-github-actions does not support PT-BR, # only PT, and PT-BR is too different to pass a PT spellcheck - name: Set up Python - uses: actions/setup-python@v6.1.0 + uses: actions/setup-python@v6.2.0 with: python-version: '3.10' @@ -101,10 +101,10 @@ jobs: needs: [md_linter, spell_checker_en, spell_checker_es, spell_checker_pt-br] steps: - name: Checkout markdown - uses: actions/checkout@v6.0.1 + uses: actions/checkout@v6.0.2 - name: Install python - uses: actions/setup-python@v6.1.0 + uses: actions/setup-python@v6.2.0 with: python-version: 3.x @@ -132,10 +132,10 @@ jobs: needs: [build_check] steps: - name: Checkout markdown - uses: actions/checkout@v6.0.1 + uses: actions/checkout@v6.0.2 - name: Install python - uses: actions/setup-python@v6.1.0 + uses: actions/setup-python@v6.2.0 with: python-version: 3.x diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 0e74a8b9..94282fce 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -15,10 +15,10 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout markdown - uses: actions/checkout@v6.0.1 + uses: actions/checkout@v6.0.2 - name: Install python - uses: actions/setup-python@v6.1.0 + uses: actions/setup-python@v6.2.0 with: python-version: 3.x @@ -46,7 +46,7 @@ jobs: needs: [export_pdf] steps: - name: Check out - uses: actions/checkout@v6.0.1 + uses: actions/checkout@v6.0.2 - name: Fetch prepared SBOM artifacts uses: actions/download-artifact@v7.0.0 diff --git a/.wordlist-en.txt b/.wordlist-en.txt index 5cf2fbc1..a02ef746 100644 --- a/.wordlist-en.txt +++ b/.wordlist-en.txt @@ -162,6 +162,7 @@ LINNDUN LLM LSMs Laravel +LevelBlue Lezza LifeCycle Lifecycle diff --git a/.wordlist-es.txt b/.wordlist-es.txt index e2a44141..4a30c965 100644 --- a/.wordlist-es.txt +++ b/.wordlist-es.txt @@ -263,6 +263,7 @@ leaks learning left Left +LevelBlue LFD library LINDDUN diff --git a/docs/en/04-design/01-threat-modeling/01-threat-modeling-project.md b/docs/en/04-design/01-threat-modeling/01-threat-modeling-project.md index abba2362..dcec0d83 100644 --- a/docs/en/04-design/01-threat-modeling/01-threat-modeling-project.md +++ b/docs/en/04-design/01-threat-modeling/01-threat-modeling-project.md @@ -1,4 +1,4 @@ -The [Threat Model Project][tmproject] is an over-arching project provided by OWASP +The OWASP [Threat Modeling Project][tmproject] is an over-arching project that seeks to inform and guide on the very large domain that is [Threat Modeling][tmptm]. #### What is the Threat Model project? @@ -6,14 +6,15 @@ that seeks to inform and guide on the very large domain that is [Threat Modeling The Threat Model project is not intended to be a primary source on the threat modeling domain; there are already many excellent sources that describe and explain threat modeling that this project does not need to repeat. -Instead the Threat Model project seeks to provide information on [threat modeling techniques][tmpapp] +Instead the Threat Model project seeks to provide direction on [threat modeling techniques][tmpapp] for applications and systems of all types, with a focus on current and emerging techniques. +To provide this the project intends to collate threat modeling techniques, methodologies, tools and examples. -To do this project intends to gather techniques, methodologies, tools and examples. -There is also the intention to foster a threat modeling community and support it through initiatives and forums. +There is also the aim to foster a threat modeling community and support it through initiatives and forums. -Note that much of this is what the project intends to provide in the future. -As of January 2026 the project is going through a change process that will better provide this information and guidance. +Note that much of this are intentions for the future; +as of January 2026 the project is going through a change process that will better provide this information and guidance. +At present it is at OWASP Incubator status with promotion to Laboratory status expected later in 2026. #### Why refer to this project? @@ -21,8 +22,8 @@ The [Threat Modeling][tmproject] project is an over-arching project for the othe It can be used as a landing page for all things threat modeling; the starting point for finding [resources and tools][tmpres] as well as the core concepts. -For example there is an introduction to Shostack's [Four Question Framework][4QFW], -that then references the primary source if the user needs to know more. +For example there is an introduction to Shostack's [Four Question Framework][4QFW] +that references the primary source if the user needs to know more. #### OWASP threat modeling projects diff --git a/docs/en/05-implementation/03-secure-libraries/04-java-secure-libs.md b/docs/en/05-implementation/03-secure-libraries/04-java-secure-libs.md new file mode 100644 index 00000000..dd9dd77b --- /dev/null +++ b/docs/en/05-implementation/03-secure-libraries/04-java-secure-libs.md @@ -0,0 +1,46 @@ +The OWASP [Java HTML Sanitizer][html-sanitizer-project] and OWASP [Java Encoder][java-encoder-project] projects +are security libraries for Java web applications that provide output encoding and HTML input sanitization. + +The OWASP [JSON Sanitizer][json-sanitizer] Java library is used to ensure JSON input / output is standards compliant. + +#### What are they? + +Java Encoder +contextual output encoding as part of a defense in depth approach to preventing XSS + +#### Why use the libraries? + +The use of these libraries is widely used to protect against + +and remain widely used to this day. + +These are both established projects with a regular release history from 2026 back to 2013. + +The OWASP [JSON Sanitizer][json-sanitizer] Java library is less well supported +but should be considered for JSON specific output sanitization; it is a direct dependency for literally 1000s of projects. + +#### How to use the libraries + +[via Maven][java-encoder] + +#### References + +* OWASP [Cross Site Scripting prevention][csxss] Cheatsheet +* OWASP [Java Encoder][java-encoder-github] +* OWASP [Java HTML Sanitizer][html-sanitizer] +* OWASP [JSON Sanitizer][json-sanitizer] + +---- + +The OWASP Developer Guide is a community effort; if there is something that needs changing +then [submit an issue][issue050304] or [edit on GitHub][edit050304]. + +[csxss]: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet +[edit050304]: https://github.com/OWASP/DevGuide/blob/main/docs/en/05-implementation/03-secure-libraries/04-java-secure-libs.md +[html-sanitizer]: https://github.com/OWASP/java-html-sanitizer/releases/latest/ +[html-sanitizer-project]: https://owasp.org/www-project-java-html-sanitizer/ +[issue050304]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2005-implementation/03-secure-libraries/04-java-secure-libs +[java-encoder]: http://search.maven.org/#search%7Cga%7C1%7Cg%3A%22org.owasp.encoder%22 +[java-encoder-github]: https://github.com/OWASP/owasp-java-encoder/releases/latest/ +[java-encoder-project]: https://owasp.org/www-project-java-encoder/ +[json-sanitizer]: https://github.com/OWASP/json-sanitizer/releases/latest/ diff --git a/docs/en/06-verification/04-vulnerability-management/01-defectdojo.md b/docs/en/06-verification/04-vulnerability-management/01-defectdojo.md index d4e615a7..7b4b7b2c 100644 --- a/docs/en/06-verification/04-vulnerability-management/01-defectdojo.md +++ b/docs/en/06-verification/04-vulnerability-management/01-defectdojo.md @@ -65,7 +65,7 @@ then [submit an issue][issue080401] or [edit on GitHub][edit080401]. [defectdojo]: https://defectdojo.com/ [defectdojo-docs]: https://docs.defectdojo.com/ [defectdojo-docker]: https://github.com/DefectDojo/django-DefectDojo/blob/dev/readme-docs/DOCKER.md -[defectdojo-install]: https://docs.defectdojo.com/en/about_defectdojo/new_user_checklist/ +[defectdojo-install]: https://docs.defectdojo.com/get_started/about/ [defectdojo-project]: https://owasp.org/www-project-defectdojo/ [defectdojo-tools]: https://defectdojo.com/integrations [edit080401]: https://github.com/OWASP/DevGuide/blob/main/docs/en/06-verification/04-vulnerability-management/01-defectdojo.md diff --git a/docs/en/07-training-education/02-secure-coding-dojo.md b/docs/en/07-training-education/02-secure-coding-dojo.md index f72df1b9..a89aa664 100644 --- a/docs/en/07-training-education/02-secure-coding-dojo.md +++ b/docs/en/07-training-education/02-secure-coding-dojo.md @@ -46,7 +46,7 @@ to practice penetration testing. The OWASP Developer Guide is a community effort; if there is something that needs changing then [submit an issue][issue0902] or [edit on GitHub][edit0902]. -[codedojo]: https://securecodingdojo.owasp.org/ +[codedojo]: https://securecodingdojo.owasp.org/public/index.html [codedojo-insecure]: https://github.com/OWASP/SecureCodingDojo/wiki/Running-Insecure.Inc [codedojo-install]: https://github.com/OWASP/SecureCodingDojo/wiki/Deploying-with-Docker [codedojo-project]: https://owasp.org/www-project-secure-coding-dojo/ diff --git a/docs/en/09-operations/03-modsecurity.md b/docs/en/09-operations/03-modsecurity.md index b7168271..e7af6248 100644 --- a/docs/en/09-operations/03-modsecurity.md +++ b/docs/en/09-operations/03-modsecurity.md @@ -6,7 +6,7 @@ In 2024 it became an OWASP Production project, supported by the existing leaders #### What is ModSecurity? In January 2024 the [ModSecurity][modsec] Web Application Firewall project was [adopted by OWASP][modsec-press], -previously [TrustWave][trustwave] had been the custodian of this project. +previously TrustWave (now [LevelBlue][levelblue]) had been the custodian of this project. ModSecurity itself has a long history as an open source project, the first release was in November 2002, and is widely used as a web application firewall for [cloud applications][cscloud] and on-premises web servers. @@ -39,7 +39,7 @@ then [submit an issue][issue1103] or [edit on GitHub][edit1103]. [cscloud]: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Cloud_Architecture_Cheat_Sheet [edit1103]: https://github.com/OWASP/DevGuide/blob/main/docs/en/09-operations/03-modsecurity.md [issue1103]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2009-operations/03-modsecurity +[levelblue]: https://www.levelblue.com/ [modsec]: https://owasp.org/www-project-modsecurity/ [modsec-docs]: https://modsecurity.org/ [modsec-press]: https://owasp.org/blog/2024/01/09/ModSecurity.html -[trustwave]: https://www.trustwave.com/ diff --git a/docs/es/06-verification/04-vulnerability-management/01-defectdojo.md b/docs/es/06-verification/04-vulnerability-management/01-defectdojo.md index 1c2d055d..77382e86 100644 --- a/docs/es/06-verification/04-vulnerability-management/01-defectdojo.md +++ b/docs/es/06-verification/04-vulnerability-management/01-defectdojo.md @@ -70,7 +70,7 @@ La Guía para Desarrolladores de OWASP es un esfuerzo comunitario; si hay algo q [defectdojo]: https://defectdojo.com/ [defectdojo-docs]: https://docs.defectdojo.com/ [defectdojo-docker]: https://github.com/DefectDojo/django-DefectDojo/blob/dev/readme-docs/DOCKER.md -[defectdojo-install]: https://docs.defectdojo.com/en/about_defectdojo/new_user_checklist/ +[defectdojo-install]: https://docs.defectdojo.com/get_started/about/ [defectdojo-project]: https://owasp.org/www-project-defectdojo/ [defectdojo-tools]: https://defectdojo.com/integrations [edit080401]: https://github.com/OWASP/DevGuide/blob/main/docs/es/06-verification/04-vulnerability-management/01-defectdojo.md diff --git a/mkdocs-pdf-en.yaml b/mkdocs-pdf-en.yaml index 8f414b65..39deb7b3 100644 --- a/mkdocs-pdf-en.yaml +++ b/mkdocs-pdf-en.yaml @@ -91,6 +91,7 @@ nav: - ESAPI: en/05-implementation/03-secure-libraries/01-esapi.md - CSRFGuard: en/05-implementation/03-secure-libraries/02-csrf-guard.md - OSHP: en/05-implementation/03-secure-libraries/03-secure-headers.md + - Java: en/05-implementation/03-secure-libraries/04-java-secure-libs.md - MASWE: en/05-implementation/04-maswe.md - Verification: - Overview: en/06-verification/index.md diff --git a/mkdocs-pdf-es.yaml b/mkdocs-pdf-es.yaml index d00378f0..ed75a3e6 100644 --- a/mkdocs-pdf-es.yaml +++ b/mkdocs-pdf-es.yaml @@ -96,6 +96,7 @@ nav: - ESAPI: es/05-implementation/03-secure-libraries/01-esapi.md - CSRFGuard: es/05-implementation/03-secure-libraries/02-csrf-guard.md - OSHP: es/05-implementation/03-secure-libraries/03-secure-headers.md + - Java: en/05-implementation/03-secure-libraries/04-java-secure-libs.md - MASWE: es/05-implementation/04-maswe.md - Verificación: - Descripción: es/06-verification/index.md diff --git a/mkdocs-pdf-fa.yaml b/mkdocs-pdf-fa.yaml index de1514c0..96bd5f0c 100644 --- a/mkdocs-pdf-fa.yaml +++ b/mkdocs-pdf-fa.yaml @@ -91,6 +91,7 @@ nav: - ESAPI: en/05-implementation/03-secure-libraries/01-esapi.md - CSRFGuard: en/05-implementation/03-secure-libraries/02-csrf-guard.md - OSHP: en/05-implementation/03-secure-libraries/03-secure-headers.md + - Java: en/05-implementation/03-secure-libraries/04-java-secure-libs.md - MASWE: en/05-implementation/04-maswe.md - Verification: - Overview: en/06-verification/index.md diff --git a/mkdocs-pdf-pt-br.yaml b/mkdocs-pdf-pt-br.yaml index 88e20e3a..0863bf38 100644 --- a/mkdocs-pdf-pt-br.yaml +++ b/mkdocs-pdf-pt-br.yaml @@ -94,6 +94,7 @@ nav: - ESAPI: en/05-implementation/03-secure-libraries/01-esapi.md - CSRFGuard: en/05-implementation/03-secure-libraries/02-csrf-guard.md - OSHP: en/05-implementation/03-secure-libraries/03-secure-headers.md + - Java: en/05-implementation/03-secure-libraries/04-java-secure-libs.md - MASWE: en/05-implementation/04-maswe.md - Verification: - Overview: en/06-verification/index.md diff --git a/mkdocs.yaml b/mkdocs.yaml index 4d52201e..806700bc 100644 --- a/mkdocs.yaml +++ b/mkdocs.yaml @@ -111,6 +111,7 @@ nav: - ESAPI: en/05-implementation/03-secure-libraries/01-esapi.md - CSRFGuard: en/05-implementation/03-secure-libraries/02-csrf-guard.md - OSHP: en/05-implementation/03-secure-libraries/03-secure-headers.md + - Java: en/05-implementation/03-secure-libraries/04-java-secure-libs.md - MASWE: en/05-implementation/04-maswe.md - Verification: - Overview: en/06-verification/index.md