Merge pull request #22 from vbakke/feat/descriptions-enhancement

'Context-aware output encoding' and 'Parametrization'

Author: wurstbrot

src/assets/YAML/default/BuildAndDeployment/Build.yaml

@@ -41,14 +41,20 @@ Build and Deployment:
       comments: ""
     Defined build process:
       uuid: f6f7737f-25a9-4317-8de2-09bf59f29b5b
+      description: |
+        A *build process* include more than just compiling your source code. 
+        It also includes steps such as managing (third party) dependencies, 
+        environment configuration, running the unit tests, etc. 
+        
+        A *defined build process* has automated these steps to ensure consistency.
+
+        This can be done with a Jenkinsfile, Maven, or similar tools.
       risk:
         Performing builds without a defined process is error prone; for example,
         as a result of incorrect security related configuration.
       measure:
         A well defined build process lowers the possibility of errors during
         the build process.
-      description: |
-        A build process can be defined in code, for example in a `Jenkinsfile`.
       difficultyOfImplementation:
         knowledge: 2
         time: 3

src/assets/YAML/default/Implementation/ApplicationHardening.yaml

@@ -50,24 +50,78 @@ Implementation:
           - Hardening is not explicitly covered by ISO 27001 - too specific
           - 8.22
       comments: ""
-    Contextualized Encoding:
+    Context-aware output encoding:
       uuid: e1f37abb-d848-4a3a-b3df-65e91a89dcb7
+      description: |
+        **Input validation** stops malicious data from entering your system. \
+        **Output encoding** neutralizes malicious data before rendering to user, or the next system.
+
+        Input validation and output encoding work together. Apply both. 
+
+        **Context-aware output encoding** encodes data differently, depending on its context. In the sample below the `{{bad_data}}` must be encoded differently, depending on its context, to render safe HTML.
+
+        ```html
+        <div>{{bad_data}}</div>
+        <a href="{{bad_data}}">Click me</a>
+        <script>var x = '{{bad_data}}';</script>
+        <script>/** Comment {{bad_data}} */</script>
+        ```                
       risk:
-        The generation of interpreter directives from user-provided data poses difficulties and can introduce vulnerabilities to injection attacks.
+        If an attacker manages to slip though your input validation, the attacker may gain control over the user session or execute arbitrary actions.
       measure: |
-        Implementing contextualized encoding for the next interpreter, such as employing object-relational mapping tools 
-        or utilizing prepared statements, nearly removes the threat of injection vulnerabilities.
-        
-        Also take into account a secure by default UI framework, which performs automatic contextual encoding of outputs with potential malicious user input (e.g. angular).
+        * Use modern secure frameworks such as React/Angular/Vue/Svelte. The default method here renders data in a safe way.
+        * Use established and well-maintained encoding libraries such as OWASP’s Java Encoder and Microsoft’s AntiXSS.
+        * Implement content security policies (CSP) to restrict the types of content that can be loaded and executed.
       difficultyOfImplementation:
-        knowledge: 2
+        knowledge: 1
         time: 2
         resources: 1
       usefulness: 3
       level: 1
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-dom-xss-cheats
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/cwe-838
+      references:
+        samm2:
+          - D-SR-1-A
+        iso27001-2017:
+          - Hardening is not explicitly covered by ISO 27001 - too specific
+          - 13.1.3
+        iso27001-2022:
+          - Hardening is not explicitly covered by ISO 27001 - too specific
+          - 8.22
+      comments: ""
+    Parametrization:
+      uuid: 00e91a8a-3972-4692-8679-674ab8547486
       description: |
-        Bear in mind that utilizing frameworks is a recommended approach; however, they can develop known security weaknesses over time. Diligent and regular patching is crucial.
-      implementation: []
+        By concatenating strings from user input to build SQL queries, an attacker can manipulate the query to do other unintentional SQL commands as well.
+
+        This is called *SQL injection* but the principle applies to NoSql, and anywhere that your code is building commands that will be executed.
+
+        Pay attention to these two lines of code. They seem similar, but behave very differently.
+
+          * `sql.execute("SELECT * FROM table WHERE ID = " + id);`
+          * `sql.execute("SELECT * FROM table WHERE ID = ?", id);`
+        The second line is parameterized. The same principle applies to other types, such as command line execution, etc.
+      risk: |
+        Systems vulnerable to injections may lead to data breaches, loss of data, 
+        unauthorized alteration of data, or complete database compromise or downtime.
+
+        This applies to SQL, NoSql, LDAP, XPath, email headers OS commands, etc. 
+      measure: |
+        * Identify which of the types your application is using. Check that you use:
+          * Use _parametrized queries_ (or _prepared statements_)
+        * For database queries, you may also use:
+          * Use _stored procedures_ ()
+          * Use ORM (Object-Relational Mapping) tools that automatically handle input sanitization
+      difficultyOfImplementation:
+        knowledge: 1
+        time: 2
+        resources: 1
+      usefulness: 3
+      level: 1
+      implementation: 
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-parameterization-cheats
       references:
         samm2:
           - D-SR-1-A

src/assets/YAML/default/Implementation/InfrastructureHardening.yaml

@@ -701,7 +701,7 @@ Implementation:
       description: |
         Begin with the WAF in a monitoring state to understand the traffic and threats. Progressively enforce blocking actions based on intelligence gathered, ensuring minimal disruption to legitimate traffic.
       dependsOn:
-        - Contextualized encoding
+        - Context-aware output encoding
       implementation: []
       references:
         samm2:

src/assets/YAML/default/implementations.yaml

@@ -41,6 +41,11 @@ implementations:
     name: CWE Top 25 Most Dangerous Software Weaknesses
     tags: ["documentation", "threat"]
     url: https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html
+  cwe-838:
+    uuid: ae97c9b0-308c-4dab-bff9-bf3330a897dc
+    name: CWE-838 Inappropriate Encoding for Output Context
+    tags: ["documentation", "cwe"]
+    url: https://cwe.mitre.org/data/definitions/838.html
   docker-content-trust:
     uuid: ee81f93f-8230-4cfb-a132-ae4ec61cb8e6
     name: Docker Content Trust
@@ -161,9 +166,9 @@ implementations:
     name: Threagile
     tags: [threat-modeling]
     url: https://github.com/Threagile/threagile
-  don-t-forget-evil-u:
+  don-t-forget-evil-user-stories:
     uuid: bb5b8988-021b-452a-a914-bd36887b6860
-    name: "[Don't Forget EVIL U"
+    name: "Don't Forget EVIL User stories"
     tags: []
     url: https://www.owasp.org/index.php/Agile_Software_Development
     description:
@@ -430,6 +435,16 @@ implementations:
     name: OWASP Logging CheatSheet
     url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
     tags: [logging, documentation]
+  owasp-dom-xss-cheats:
+    uuid: 2d61e48f-bade-4332-a383-adc50c29673a
+    name: OWASP DOM based XSS Prevention CheatSheet
+    url: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html
+    tags: []
+  owasp-parameterization-cheats:
+    uuid: d880fa0f-9dbb-454e-a003-d844fad31ab4
+    name: OWASP Parameterization CheatSheet
+    url: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html
+    tags: []
   elk-stack:
     uuid: 38fe9d00-df8b-44b6-910d-ca0f02b5c5d3
     name: ELK-Stack