add some of Jims feedback

Author: andreashappe

docs/the-top-10/c1-accesscontrol.md

@@ -3,8 +3,11 @@
 ## Description
 
 Access Control (or Authorization) is allowing or denying specific requests from a user, program, or process. With each access control decision, a given subject requests access to a given object. Access control is the process that considers the defined policy and determines if a given subject is allowed to access a given object.
+
 Access control also involves the act of granting and revoking those privileges.
+
 Access Control often applies on multiple levels, e.g., given an application with a database backend, it applies both on the business logic level as well as on a database row level. In addition, applications can offer multiple ways of performing operations (e.g., through APIs or the website). All those different levels and access paths must be aligned, i.e., use the same access control checks, to protect against security vulnerabilities.
+
 Authorization (verifying access to specific features or resources) is not equivalent to authentication (verifying identity).
 
 ## Threats

docs/the-top-10/c10-stop-server-side-request-forgery.md

@@ -2,7 +2,9 @@
 
 ## Description
 
-While Injection Attacks typically target the victim server itself, Server-Side Request Forgery (SSRF) attacks try to coerce the server to perform a request on behalf of the attacker. Why is this beneficial for the attacker? The outgoing request will be performed with the identity of the victim server and thus the attacker might execute operations with elevated operations.
+While Injection Attacks typically target the victim server itself, Server-Side Request Forgery (SSRF) attacks try to coerce the server to perform a request on behalf of the attacker. SSRF occurs when an attacker can trick a server into making unintended requests to internal or external services, potentially bypassing security controls.
+
+Why is this beneficial for the attacker? The outgoing request will be performed with the identity of the victim server and thus the attacker might execute operations with elevated operations.
 
 ## Threats
 
@@ -19,6 +21,7 @@ There multiple ways of preventing SSRF:
 - Input validation
 - If outgoing requests have to be made, check the target against an allow-list
 - If using XML, configure parser securely to prevent XEE
+
 Be aware of [Unicode and other Character transformations](https://cheatsheetseries.owasp.org/assets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet_Orange_Tsai_Talk.pdf) when performing input validation.
 
 ## Vulnerabilities Prevented

docs/the-top-10/c2-crypto.md

@@ -42,8 +42,10 @@ When it comes to cryptography, there are a few simple rules:
 ### Protect data at rest
 
 The first rule of sensitive data management is to avoid storing sensitive data when at all possible. If you must store sensitive data then make sure it is cryptographically protected in some way to avoid unauthorized disclosure and modification.
+
 Cryptography (or crypto) is one of the more advanced topics of information security and one whose understanding requires the most schooling and experience. It is difficult to get right because there are many approaches to encryption, each with advantages and disadvantages that need to be thoroughly understood by web solution architects and developers. In addition, serious cryptography research is typically based on advanced mathematics and number theory, providing a serious barrier to entry.
-Designing or building cryptographic algorithms is very error-prone (see side-channel attacks). Instead of building cryptographic capability from scratch, it is strongly recommended that peer-reviewed and open solutions be used, such as the Google `Tink` project, `Libsodium`, and secure storage capability built into many software frameworks and cloud services.
+
+Designing or building cryptographic algorithms is very error-prone (see side-channel attacks). Instead of building cryptographic capability from scratch, it is strongly recommended that peer-reviewed and open solutions be used, such as the [Google Tink](https://developers.google.com/tink) project, [Libsodium](https://doc.libsodium.org/), and secure storage capability built into many software frameworks and cloud services.
 
 #### Store passwords safely
 
@@ -74,7 +76,7 @@ Attackers can steal data from web and web service applications in a number of wa
 
 #### Use current cryptographic protocols
 
-When developing web applications, use TLSv1.2 or TLSv1.3, preferably TLSv1.3. If possible, investigate the usage of HTTP/2 or HTTP/3 as they warrant the usage of security TLS versions/algorithms.
+When developing web applications, you will typically use [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security) for encryption during transit. Use TLSv1.2 or TLSv1.3, preferably TLSv1.3. If possible, investigate the usage of HTTP/2 or HTTP/3 as they warrant the usage of security TLS versions/algorithms.
 
 - Directly turn off other older protocols to avoid protocol downgrade attacks.
 - Do not offer HTTP. Disable both HTTP and SSL compression.

docs/the-top-10/c3-validate-input-and-handle-exceptions.md

@@ -72,7 +72,9 @@ Regular expressions are just one way to accomplish validation. Regular expressio
 #### Unexpected User Input (Mass Assignment)
 
 Some frameworks support automatic binding of HTTP requests parameters to server-side objects used by the application. This auto-binding feature can allow an attacker to update server-side objects that were not meant to be modified. The attacker can possibly modify their access control level or circumvent the intended business logic of the application with this feature.
+
 This attack has a number of names including: mass assignment, autobinding and object injection.
+
 As a simple example, if the user object has a field privilege which specifies the user’s privilege level in the application, a malicious user can look for pages where user data is modified and add privilege=admin to the HTTP parameters sent. If auto-binding is enabled in an insecure fashion, the server-side object representing the user will be modified accordingly.
 
 Two approaches can be used to handle this:

docs/the-top-10/c5-secure-by-default.md

@@ -2,7 +2,9 @@
 
 ## Description
 
-“Secure-by-Default” means products are resilient against prevalent exploitation techniques out of the box without additional charge. The benefit of having an application secure from the start is that it removes the burden away from developers on how to lock a system down, providing them with an already secure product. It reduces the effort required to deploy products in a secure manner and gives greater confidence that they will remain secure over time.
+“Secure-by-Default” means products are resilient against prevalent exploitation techniques out of the box without additional charge. Software should start in a secure state without requiring extensive user configuration, ensuring the default settings are always the most secure option.
+
+The benefit of having an application secure from the start is that it removes the burden away from developers on how to lock a system down, providing them with an already secure product. It reduces the effort required to deploy products in a secure manner and gives greater confidence that they will remain secure over time.
 
 ## Threats
 

docs/the-top-10/c6-use-secure-dependencies.md

@@ -2,7 +2,9 @@
 
 ## Description
 
-It is a common practice in software development to leverage libraries and frameworks. Secure libraries and software frameworks with embedded security help software developers prevent security-related design and implementation flaws. A developer writing an application from scratch might not have sufficient knowledge, time, or budget to properly implement or maintain security features. Leveraging security frameworks (both open source and vendor) help accomplish security goals more efficiently and accurately.
+It is a common practice in software development to leverage libraries and frameworks. Secure libraries and software frameworks with embedded security help software developers prevent security-related design and implementation flaws.
+
+A developer writing an application from scratch might not have sufficient knowledge, time, or budget to properly implement or maintain security features. Leveraging security frameworks (both open source and vendor) help accomplish security goals more efficiently and accurately.
 
 When possible, the emphasis should be on using the existing secure features of frameworks rather than importing yet another third party libraries, which requires regular updates and maintenance. It is preferable to have developers take advantage of what they're already using instead of forcing yet another library on them.
 

docs/the-top-10/c7-secure-digital-identities.md

@@ -6,6 +6,7 @@ Digital Identity is a unique representation of an individual, organization (or a
 
 Session management is the process by which a server maintains the state of the user’s authentication so that the user may continue to use the system without re-authenticating.
 Digital identity, authentication, and session management are very complex topics. We're scratching the surface of the topic of Digital Identity here. Ensure that your most capable engineering talent is responsible for maintaining the complexity involved with most Identity solutions.
+
 The [NIST Special Publication 800-63B: Digital Identity Guidelines (Authentication and Life Cycle Management](https://pages.nist.gov/800-63-3/sp800-63b.html) provide solid guidance on implementing digital identity, authentication, and session management controls. Below are some recommendations for secure implementation to ensure strong digital identity controls are implemented in applications.
 
 ### Authentication Assurance Levels
@@ -19,12 +20,15 @@ NIST 800-63b describes three levels of authentication assurance called Authentic
 #### Level 2 : Multi-Factor Authentication
 
 NIST 800-63b AAL level 2 is reserved for higher-risk applications that contain "self-asserted PII or other personal information made available online." At AAL level 2 multi-factor authentication is required including OTP or other forms of multi-factor implementation.
+
 Multi-factor authentication (MFA) ensures that users are who they claim to be by requiring them to identify themselves with a combination of:
 
 - Something you know – password or PIN
 - Something you own – token or phone, when using a phone please use a standard authenticator application heeding standardized protocols such as FIDO2.
 - Something you are – biometrics, such as a fingerprint
+
 Using passwords as a sole factor provides weak security. Multi-factor solutions provide a more robust solution by requiring an attacker to acquire more than one element to authenticate with the service.
+
 It is worth noting that biometrics, when employed as a single factor of authentication, are not considered acceptable secrets for digital authentication. They can be obtained online or by taking a picture of someone with a camera phone (e.g., facial images) with or without their knowledge, lifted from objects someone touches (e.g., latent fingerprints), or captured with high-resolution images (e.g., iris patterns). Biometrics must be used only as part of multi-factor authentication with a physical authenticator (something you own). For example, accessing a multi-factor one-time password (OTP) device will generate a one-time password that the user manually enters for the verifier.
 
 #### Level 3 : Cryptographic Based Authentication
@@ -34,7 +38,9 @@ NIST 800-63b Authentication Assurance Level 3 (AAL3) is required when the impact
 ### Session Management: client- vs server-side sessions
 
 HTTP on its own is a session-less protocol: no data is shared between requests. When you look at how we are using the web, this is clearly not what is user-visible as for example you log into a website and stay logged in during subsequent requests. This is possible as session-management has been implemented on top of HTTP.
+
 Once the initial successful user authentication has taken place, an application may choose to track and maintain this authentication state for a limited amount of time. This will allow the user to continue using the application without having to keep re-authentication with each request. Tracking of this user state is called Session Management.
+
 Session-Management can be roughly categorized in client- and server-side session management. In the former, all session data is stored within the client and transmitted on each request to the server. The latter stores session-specific data on the server, e.g., in a database, and only transmits an identifier to the client. The client then submits only the session-identifier on each request and the server retrieves the session-data from the server-side storage.
 
 From a security-perspective server-side sessions have multiple benefits:
@@ -68,6 +74,7 @@ Passwords should comply with the following requirements at the very least:
 #### Implement Secure Password Recovery Mechanism
 
 It is common for an application to have a mechanism for a user to gain access to their account in the event they forget their password. A good design workflow for a password recovery feature will use multi-factor authentication elements. For example, it may ask a security question - something they know, and then send a generated token to a device - something they own.
+
 Please see the [Forgot_Password_Cheat_Sheet](https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet) and [Choosing_and_Using_Security_Questions_Cheat_Sheet](https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet) for further details.
 
 #### Implement Secure Password Storage
@@ -81,6 +88,7 @@ Typically server-side session management is implemented with HTTP cookies which
 #### Session Generation and Expiration
 
 User state is tracked in a session. This session is typically stored on the server for traditional web based session management. A session identifier is then given to the user so the user can identify which server-side session contains the correct user data. The client only needs to maintain this session identifier, which also keeps sensitive server-side session data off of the client.
+
 Here are a few controls to consider when building or implementing session management solutions:
 
 - Ensure that the session id is long, unique and random, i.e., is of high entropy.
@@ -92,12 +100,15 @@ Please see the [Session Management Cheat Sheet](https://www.owasp.org/index.php/
 ### Client-Side Session-Management
 
 Server-side sessions can be limiting for some forms of authentication. "Stateless services" allow for client side management of session data for performance purposes so the server has less of a burden to store user sessions.
+
 These "stateless" applications typically generate a short-lived access token containing all of the current user’s access permissions which is then included in all subsequent requests. Cryptography must be employed so that the client cannot alter the permissions stored within the token. When a client requests a server operation, the client includes the retrieved access token and the server verifies that the token has not been tampered with and extracts the permissions from the token. These permissions are then used for subsequent permission checks.
 
 #### JWT (JSON Web Tokens)
 
 JSON Web Token (JWT) is an open standard ([RFC 7519](https://tools.ietf.org/html/rfc7519)) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted as long as it is digitally signed by a trusted authority. A JWT token is created during authentication and is verified by the server (or servers) before any processing. However, JWTs are often not saved by the server after initial creation. JWTs are typically created and then handed to a client without being saved by the server in any way. The integrity of the token is maintained through the use of digital signatures so a server can later verify that the JWT is still valid and was not tampered with since its creation.
+
 This approach is both stateless and portable in the way that client and server technologies can be different yet still interact.
+
 Please note, that if you are using JWTs you have to make sure that the returned JWT is actually using one of the signing algorithms that you are using. Otherwise, an attacker could try to create a JWT signed with the NULL algorithm, use a MAC-vs-Signature confusion attack, or provide a custom JWS key for signing. When you are issuing JWTs, make double-sure that you are using a secure private key for signing the JWTs: each output JWT gives an attacker all information needed to perform an offline cracking attack, so you should rotate keys frequently too.
 
 ### Browser Cookies

docs/the-top-10/c9-security-logging-and-monitoring.md

@@ -2,7 +2,11 @@
 
 ## Description
 
-Logging is a concept that most developers already use for debugging and diagnostic purposes. Security logging is an equally basic concept: to log security information during the runtime operation of an application. Monitoring is the live review of application and security logs using various forms of automation. The same tools and patterns can be used for operations, debugging and security purposes.
+Logging is a concept that most developers already use for debugging and diagnostic purposes. Security logging is an equally basic concept: to log security information during the runtime operation of an application.
+
+Monitoring is the live review of application and security logs using various forms of automation. The same tools and patterns can be used for operations, debugging and security purposes.
+
+The goal of secruity logging is to detect and respond to potential security incidents.
 
 ### Benefits of Security Logging
 
@@ -20,6 +24,7 @@ Use logging to identify activity that indicates that a user is behaving maliciou
 - Submitted data that involves changes to data that should not be modifiable (select list, checkbox or other limited entry component).
 - Requests that violate server-side access control rules.
 - A more comprehensive list of possible detection points is available [here](https://cheatsheetseries.owasp.org/cheatsheets/Application_Logging_Vocabulary_Cheat_Sheet.html).
+
 When your application encounters such activity, your application should at the very least log the activity and mark it as a high severity issue. Ideally, your application should also respond to a possible identified attack, by for example invalidating the user’s session and locking the user’s account. The response mechanisms allow the software to react in realtime to possible identified attacks.
 
 ### Secure Logging Design

docs/the-top-10/introduction.md docs/the-top-10/index.md

@@ -8,6 +8,7 @@ theme:
     - 404.html
     - google6fbf6cc04efaa5b5.html
   features:
+    - navigation.indexes
     - navigation.sections
     - navigation.tracking
     - navigation.path
@@ -61,13 +62,13 @@ copyright: |
 
 nav:
   - 'Current Top 10 (WIP, 2024)':
-    - 'About this Project': index.md
+    - index.md
     - 'In the News': introduction/in-the-news.md
     - 'How to contribute?': introduction/contributing.md
     - 'About OWASP': introduction/about-owasp.md
     - 'Related OWASP Projects': introduction/related-owasp-projects.md
     - 'Top 10 Proactive Controls:':
-      - "Introduction": the-top-10/introduction.md
+      - the-top-10/index.md
       - "C1: Implement Access Control": the-top-10/c1-accesscontrol.md
       - "C2: Use Cryptography to Protect Data": the-top-10/c2-crypto.md
       - "C3: Validate all Input & Handle Exceptions": the-top-10/c3-validate-input-and-handle-exceptions.md
@@ -112,7 +113,7 @@ plugins:
         'v4/en/c4-secure-architecture.md': 'the-top-10/c4-secure-architecture.md'
         'v4/en/c5-secure-by-default.md': 'the-top-10/c5-secure-by-default.md'
         'v4/en/c6-use-secure-dependencies.md': 'the-top-10/c6-use-secure-dependencies.md'
-        'v4/en/c7-implement-digital-identity.md': 'the-top-10/c7-implement-digital-identity.md'
+        'v4/en/c7-implement-digital-identity.md': 'the-top-10/c7-secure-digital-identities.md'
         'v4/en/c8-help-the-browser-defend-the-user.md': 'the-top-10/c8-leverage-browser-security-features.md'
         'v4/en/c9-security-logging-and-monitoring.md': 'the-top-10/c9-security-logging-and-monitoring.md'
         'v4/en/c10-stop-server-side-request-forgery.md': 'the-top-10/c10-stop-server-side-request-forgery.md'