diff --git a/.wordlist-en.txt b/.wordlist-en.txt index 7743e35d..af76f3d2 100644 --- a/.wordlist-en.txt +++ b/.wordlist-en.txt @@ -1,5 +1,5 @@ -AES AEAD +AES APIT APIs APK @@ -7,7 +7,7 @@ ARP ASVS AUTH Adoptium -alirezakkt +Amauri Analyser Andra Andreas @@ -17,16 +17,18 @@ AppSec AppSensor Arithmatex Atlassian +BOLA BOM BOMs +BOPLA BOV BetterEm +Bizerra Bluesky Brømsø CAPEC CCM CFB -ChaCha CISO CMS CMSeeK @@ -45,6 +47,7 @@ CVSS CWE Canonicalisation Cavalcanti +ChaCha ChartMuseum Cheatsheet Cheatsheets @@ -81,6 +84,7 @@ Dracon ECB ENISA ESAPI +Ebihara Ecommerce Elie EscapeAll @@ -218,6 +222,7 @@ RSA RansomWare Recx Riccardo +Roxana Ruleset SAFEcode SAML @@ -307,6 +312,7 @@ WHATWG WPScan WSTG Wayfinder +WebDAV WebGoat WebGoat's WebHook @@ -321,10 +327,13 @@ XML XSS XXE YAML +Yuuki ZH aSemy ai algorithmically +alirezakkt +allowlist angularjs api architected @@ -407,6 +416,7 @@ frontends gamification gamifies gamify +git github gitlab gmail @@ -423,6 +433,7 @@ integrations intel interoperate io +ip iteratively javascript js @@ -465,6 +476,7 @@ permalink personalization plaintext pre +printf programmatically proscriptive px @@ -495,10 +507,13 @@ skf socio soupsieve stacktrace +strcat +strcpy subcommand subcommands subdirectories subdirectory +svn synchronizer templating testbed @@ -506,8 +521,10 @@ testssl threatspec toolchain transactional +tunable txt typosquatting +unencrypted unforgeable unicode unkeyed @@ -526,19 +543,3 @@ wstg wtf www xsaero -Roxana -Amauri -Bizerra -Ebihara -Yuuki -svn -git -BOPLA -BOLA -WebDAV -tunable -allowlist -printf -strcat -strcpy -unencrypted diff --git a/docs/en/04-design/02-web-app-checklist/06-digital-identity.md b/docs/en/04-design/02-web-app-checklist/06-digital-identity.md index 0daf0c9c..8f6b6b46 100644 --- a/docs/en/04-design/02-web-app-checklist/06-digital-identity.md +++ b/docs/en/04-design/02-web-app-checklist/06-digital-identity.md @@ -21,7 +21,8 @@ and use the list below as suggestions for a checklist that has been tailored for 9. Administrative and account management must be at least as secure as the primary authentication mechanism 10. Use [Multi-Factor Authentication][csmfa] (MFA) for sensitive or high value transactional accounts 11. Re-authenticate users prior to performing critical operations -12. Enforce account disabling after an established number of invalid login attempts +12. Enforce account disabling after an established number of invalid login attempts, or add a random tunable + delay for authentication failures to defer brute force attacks and protect against timing attacks 13. Utilize authentication for connections to external systems that involve sensitive information or functions 14. Authentication credentials for accessing services external to the application should be stored in a secure store 15. Use only HTTP POST requests to transmit authentication credentials @@ -33,7 +34,6 @@ and use the list below as suggestions for a checklist that has been tailored for 20. Authentication failure responses should not give away the existent of user accounts by allowing the response time to differ, depending on whether a username exist or not. Use a DB transaction that looks for a fake user profile in case the username doesn't exist -21. Add a random tunable delay for authentication failures to defer brute force attacks and protect against timing attacks #### 2. Passwords diff --git a/docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md b/docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md index 48bdbd3b..d97cbb05 100644 --- a/docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md +++ b/docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md @@ -32,6 +32,11 @@ and use the list below as suggestions for a checklist that has been tailored for 7. Synchronize across nodes to ensure that timestamps are consistent 8. All logging controls should be implemented on a trusted system 9. Ensure that a mechanism exists to conduct log analysis +10. Each log entry must includes necessary metadata (such as when, where, who, what) that would allow for a detailed + investigation of the timeline when an event happens +11. Each log entry must include a time stamp, severity, tagging of security events, + identity of the account holder, trace id and span id that can be correlated against the end user's ip, event outcome, + event description #### 3. Monitoring