Deploy the generated website via GitHub Actions

README.md

@@ -1 +1 @@
-Website last update: 2023-11-22 at 14:41:23.
+Website last update: 2023-11-27 at 13:03:24.

cheatsheets/Abuse_Case_Cheat_Sheet.html

@@ -2629,7 +2629,7 @@ <h3 id="context-approach">Context &amp; approach<a class="headerlink" href="#con
 <h4 id="why-clearly-identify-the-attacks">Why clearly identify the attacks<a class="headerlink" href="#why-clearly-identify-the-attacks" title="Permanent link">&para;</a></h4>
 <p>Clearly identifying the attacks against which the application must defend is essential in order to enable the following steps in a project or sprint:</p>
 <ul>
-<li>Evaluate the business risk for each of the identified attacks in order perform a selection according to the business risk and the project/sprint budget.</li>
+<li>Evaluate the business risk for each of the identified attacks in order to perform a selection according to the business risk and the project/sprint budget.</li>
 <li>Derive security requirements and add them into the project specification or sprint's user stories and acceptance criteria.</li>
 <li>Estimate the overhead of provision in the initial project/sprint charge that will be necessary to implement the countermeasures.</li>
 <li>About countermeasures: Allow the project team to define them, and to determine in which location they are appropriate (network, infrastructure, code...) to be located.</li>
@@ -2675,12 +2675,12 @@ <h4 id="how-to-define-the-list-of-abuse-cases">How to define the list of Abuse C
 <p><em>Example:</em></p>
 <ul>
 <li>Technical flagged abuse case: Add Cross Site Scripting injection into a comment input field.</li>
-<li>Business flagged abuse case: Ability to modify arbitrary the price of an article in an online shop prior to pass an order causing the user to pay a lower amount for the wanted article.</li>
+<li>Business flagged abuse case: Ability to arbitrarily modify the price of an article in an online shop prior to passing an order causing the user to pay a lower amount for the wanted article.</li>
 </ul>
 <h4 id="when-to-define-the-list-of-abuse-cases">When to define the list of Abuse Cases<a class="headerlink" href="#when-to-define-the-list-of-abuse-cases" title="Permanent link">&para;</a></h4>
 <p>In agile projects, the definition workshop must be made after the meeting in which User Stories are included in a Sprint.</p>
 <p>In waterfall projects, the definition workshop must be made when the business features to implement are identified and known by the business.</p>
-<p>Whatever the mode of project used (agile or waterfall), the abuse cases selected to be addressed must become security requirements in each feature specification section (waterfall) or User Story acceptance criteria (agile) in order to allow additional cost/effort evaluation, identification and implementation of the countermeasures.</p>
+<p>Whatever the mode of the project used (agile or waterfall), the abuse cases selected to be addressed must become security requirements in each feature specification section (waterfall) or User Story acceptance criteria (agile) in order to allow additional cost/effort evaluation, identification and implementation of the countermeasures.</p>
 <p>Each abuse case must have a unique identifier in order to allow tracking throughout the whole project/sprint (details about this point will be given in the proposal section).</p>
 <p>An example of unique ID format can be <strong>ABUSE_CASE_001</strong>.</p>
 <p>The following figure provides an overview of the chaining of the different steps involved (from left to right):</p>
@@ -2782,11 +2782,11 @@ <h4 id="step-2-during-the-workshop">Step 2: During the workshop<a class="headerl
 <li>Appsec proposes a countermeasure and a preferred set up location (infrastructure, network, code, design...).</li>
 <li>Technical people give feedback about the feasibility of the proposed countermeasure.</li>
 <li>Penetration testers use the CVSS v3 (or other standard) calculator to determine a risk rating. (ex: <a href="https://www.first.org/cvss/calculator/3.0">CVSS V3 calculator</a>)</li>
-<li>Risk key people accept/increase/decrease the rating to have final one that match the real business impact for the company.</li>
+<li>Risk leaders should accept or modify the risk rating to determine the final risk score which accurately reflects the real business impact for the company.</li>
 </ol>
 </li>
 <li>
-<p>Business, Risk and Technical key peoples find a consensus and filter the list of abuses for the current feature to keep the ones that must be addressed, and then flag them accordingly in the <em>ABUSE CASES</em> sheet (<strong>if risk is accepted then add a comment to explain why</strong>).</p>
+<p>Business, Risk, and Technical leaders should find a consensus and filter the list of abuses for the current feature to keep the ones that must be addressed, and then flag them accordingly in the <em>ABUSE CASES</em> sheet (<strong>if risk is accepted then add a comment to explain why</strong>).</p>
 </li>
 <li>Pass to next feature...</li>
 </ol>
@@ -2798,21 +2798,21 @@ <h4 id="step-2-during-the-workshop">Step 2: During the workshop<a class="headerl
 <li><a href="https://capec.mitre.org/">Common Attack Pattern Enumeration and Classification (CAPEC)</a></li>
 </ul>
 <p>Important note on attacks and countermeasure knowledge base(s):</p>
-<div class="highlight"><pre><span></span><code>With the time and across projects, you will obtain your own dictionary of attacks and countermeasures
+<div class="highlight"><pre><span></span><code>With time and experience across projects, you will obtain your own dictionary of attacks and countermeasures
 that are applicable to the kind of application in your business domain.
 
 This dictionary will speed up the future workshops in a significant way.
 
 To promote the creation of this dictionary, you can, at the end of the project/sprint, gather the list
 of attacks and countermeasures identified in a central location (wiki, database, file...) that will be
-used during the next workshop in combination with input from penetration pesters.
+used during the next workshop in combination with input from penetration testers.
 </code></pre></div>
 <h4 id="step-3-after-the-workshop">Step 3: After the workshop<a class="headerlink" href="#step-3-after-the-workshop" title="Permanent link">&para;</a></h4>
 <p>The spreadsheet contains (at this stage) the list of all abuse cases that must be handled and, potentially (depending on the capacity) corresponding countermeasures.</p>
 <p>Now, there are two remaining task:</p>
 <ol>
 <li>Key business people must update the specification of each feature (waterfall) or the User Story of each feature (agile) to include the associated abuse cases as Security Requirements (waterfall) or Acceptance Criteria (agile).</li>
-<li>Key technical people must evaluate the overhead in terms of charge/effort to take into account the countermeasure.</li>
+<li>Key technical people must evaluate the overhead in terms of expense/effort to take into account the countermeasure.</li>
 </ol>
 <h4 id="step-4-during-implementation-abuse-cases-handling-tracking">Step 4: During implementation - Abuse cases handling tracking<a class="headerlink" href="#step-4-during-implementation-abuse-cases-handling-tracking" title="Permanent link">&para;</a></h4>
 <p>In order to track the handling of all the abuse cases, the following approach can be used:</p>
@@ -2835,7 +2835,7 @@ <h4 id="step-5-during-implementation-abuse-cases-handling-validation">Step 5: Du
 <li>All the selected abuse cases are handled.</li>
 <li>An abuse case is correctly/completely handled.</li>
 </ul>
-<p>Validations can be of the following kinds:</p>
+<p>Validations can be of the following varieties:</p>
 <ul>
 <li>Automated (run regularly at commit, daily or weekly in the Continuous Integration Jobs of the project):<ul>
 <li>Custom audit rules in Static Application Security Testing (SAST) or Dynamic Application Security Testing (DAST) tools.</li>
@@ -2850,9 +2850,9 @@ <h4 id="step-5-during-implementation-abuse-cases-handling-validation">Step 5: Du
 </ul>
 </li>
 </ul>
-<p>Adding automated tests also allow teams to track that countermeasures against the abuse cases are still effective/in place during a maintenance or bug fixing phase of a project (to prevent accidental removal/disabling). It is also useful when a <a href="https://continuousdelivery.com/">Continuous Delivery</a> approach is used, to ensure that all abuse cases protections are in place before opening access to the application.</p>
+<p>Adding automated tests also allow teams to track the effectiveness of countermeasures against abuse cases and determine if the countermeasures are still in place during a maintenance or bug fixing phase of a project (to prevent accidental removal/disabling). It is also useful when a <a href="https://continuousdelivery.com/">Continuous Delivery</a> approach is used, to ensure that all abuse cases protections are in place before opening access to the application.</p>
 <h3 id="example-of-derivation-of-abuse-cases-as-user-stories">Example of derivation of Abuse Cases as User Stories<a class="headerlink" href="#example-of-derivation-of-abuse-cases-as-user-stories" title="Permanent link">&para;</a></h3>
-<p>The following section show an example of derivation of Abuse Cases as User Stories, here using the <a href="https://owasp.org/www-project-top-ten/">OWASP TOP 10</a> as input source.</p>
+<p>The following section shows an example of derivation of Abuse Cases as User Stories, here using the <a href="https://owasp.org/www-project-top-ten/">OWASP TOP 10</a> as input source.</p>
 <p>Threat Oriented Personas:</p>
 <ul>
 <li>Malicious User</li>
@@ -2911,7 +2911,7 @@ <h4 id="a52017-broken-access-control">A5:2017-Broken Access Control<a class="hea
 <p><em>Abuse Case:</em></p>
 <p>As an attacker, I access APIs with missing access controls for POST, PUT and DELETE.</p>
 <p><em>Abuse Case:</em></p>
-<p>As an attacker, I target default crypto keys in use, weak crypto keys generated or re-used, or keys where rotation missing is missing.</p>
+<p>As an attacker, I target default crypto keys in use, weak crypto keys generated or re-used, or keys where rotation is missing.</p>
 <p><em>Abuse Case:</em></p>
 <p>As an attacker, I find areas where the user agent (e.g. app, mail client) does not verify if the received server certificate is valid and perform attacks where I get unauthorized access to data.</p>
 <h4 id="a62017-security-misconfiguration">A6:2017-Security Misconfiguration<a class="headerlink" href="#a62017-security-misconfiguration" title="Permanent link">&para;</a></h4>
@@ -2930,12 +2930,12 @@ <h4 id="a62017-security-misconfiguration">A6:2017-Security Misconfiguration<a cl
 <p><em>Abuse Case:</em></p>
 <p>As an attacker, I find security settings in the application servers, application frameworks (e.g. Struts, Spring, ASP.NET), libraries, databases, etc. not set to secure values.</p>
 <p><em>Abuse Case:</em></p>
-<p>As an attacker, I find the server does not send security headers or directives or they are not set to secure values.</p>
+<p>As an attacker, I find the server does not send security headers or directives or are set to insecure values.</p>
 <h4 id="a72017-cross-site-scripting-xss">A7:2017-Cross-Site Scripting (XSS)<a class="headerlink" href="#a72017-cross-site-scripting-xss" title="Permanent link">&para;</a></h4>
 <p><em>Epic:</em></p>
 <p>XSS is the second most prevalent issue in the OWASP Top 10, and is found in around two-thirds of all applications.</p>
 <p><em>Abuse Case:</em></p>
-<p>As an attacker, I perform reflected XSS where the application or API includes unvalidated and unescaped user input as part of HTML output. My successful attack can allow the attacker to execution of arbitrary HTML and JavaScript in my victim's browser. Typically the victim will need to interact with some malicious link that points to an attacker-controlled page, such as malicious watering hole websites, advertisements, or similar.</p>
+<p>As an attacker, I perform reflected XSS where the application or API includes unvalidated and unescaped user input as part of HTML output. My successful attack can allow the attacker to execute arbitrary HTML and JavaScript in my victim's browser. Typically the victim will need to interact with some malicious link that points to an attacker-controlled page, such as malicious watering hole websites, advertisements, or similar.</p>
 <p><em>Abuse Case:</em></p>
 <p>As an attacker, I perform stored XSS where the application or API stores unsanitized user input that is viewed at a later time by another user or an administrator.</p>
 <p><em>Abuse Case:</em></p>
@@ -2952,7 +2952,7 @@ <h3 id="a92017-using-components-with-known-vulnerabilities">A9:2017-Using Compon
 <p>As an attacker, I find common open source or closed source packages with weaknesses and perform attacks against vulnerabilities and exploits which are disclosed</p>
 <h3 id="a102017-insufficient-logging-monitoring">A10:2017-Insufficient Logging &amp; Monitoring<a class="headerlink" href="#a102017-insufficient-logging-monitoring" title="Permanent link">&para;</a></h3>
 <p><em>Epic:</em></p>
-<p>Exploitation of insufficient logging and monitoring is the bedrock of nearly every major incident. Attackers rely on the lack of monitoring and timely response to achieve their goals without being detected. In 2016, identifying a breach took an <a href="https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03130WWEN">average of 191 days</a> so plenty of time for damage to be inflicted.</p>
+<p>Exploitation of insufficient logging and monitoring is the bedrock of nearly every major incident. Attackers rely on the lack of monitoring and timely response to achieve their goals without being detected. In 2016, identifying a breach took an <a href="https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03130WWEN">average of 191 days</a> allowing substancial chance for damage to be inflicted.</p>
 <p><em>Abuse Case:</em></p>
 <p>As an attacker, I attack an organization and the logs, monitoring systems, and teams do not see or respond to my attacks.</p>
 <h2 id="sources-of-the-schemas">Sources of the schemas<a class="headerlink" href="#sources-of-the-schemas" title="Permanent link">&para;</a></h2>