Cybersecurity Awareness Month (#45)

docs/index.md

@@ -8,9 +8,9 @@ We welcome feedback and suggestions, especially to public drafts: please open an
 
 # Documents
 
-* [Secure Coding and Deployment Hardening Guidelines](secure_coding_and_deployment_hardening) (draft)
-* [Web Application Security Best Practices for BEAM languages](web_app_security_best_practices_beam) (draft)
-* [Security Vulnerability Disclosure](security_vulnerability_disclosure) (draft)
+* [Secure Coding and Deployment Hardening Guidelines](secure_coding_and_deployment_hardening)
+* [Web Application Security Best Practices for BEAM languages](web_app_security_best_practices_beam)
+* [Security Vulnerability Disclosure](security_vulnerability_disclosure)
 
 # Specifications
 

docs/web_app_security_best_practices_beam/common_web_application_vulnerabilities.md

@@ -91,6 +91,8 @@ XSS payload executes in the victim web browser.
 **Further Reading:**
 
 - [Cross Site Scripting (XSS) Patterns in Phoenix][paraxial:xss_phoenix]
+- [OWASP Top Ten: Injection][owasp:top_10_injection]
+- [OWASP Cheat Sheet: Cross Site Scripting Prevention][owasp:cheat_sheet_xss]
 
 ### Content Security Policy
 
@@ -100,7 +102,7 @@ If someone is unfamiliar with web security and is using the Phoenix Elixir web f
 
 Using Content Security Policy in the Phoenix Elixir web framework is a crucial security feature that helps protect web applications from various types of attacks. By restricting the sources of content that the application can load or execute, developers can reduce the risk of security vulnerabilities and ensure the safety of their users.
 
-To learn more about Content Security Policy, see: [https://content-security-policy.com/](https://content-security-policy.com/)
+To learn more about Content Security Policy, see: [https://content-security-policy.com/](https://content-security-policy.com/) and the [OWASP Cheat Sheet: Content Security Policy][owasp:cheat_sheet_csp]
 
 To help create policies, see: [https://report-uri.com/home/generate](https://report-uri.com/home/generate)
 
@@ -222,6 +224,7 @@ In this instance, it may be possible to trigger the POST functionality with a
 
 - [Elixir/Phoenix Security: What is CSRF via Action Reuse?][paraxial:action_reuse_csrf]
 - [Elixir/Phoenix Security: Introduction to Cross Site Request Forgery (CSRF)][paraxial:csrf_intro]
+- [OWASP Cheat Sheet: Server-Side Request Forgery Prevention][owasp:cheat_sheet_xsrf]
 
 ## Cross-Site WebSocket Hijacking (CSWSH)
 
@@ -297,6 +300,7 @@ Preventing SQL Injection in Elixir/Phoenix/Ecto applications
 **Further Reading:**
 
 - [Detecting SQL Injection in Phoenix with Sobelow][paraxial:sql_injection]
+- [OWASP Cheat Sheet: SQL Injection Prevention][owasp:cheat_sheet_sqli]
 
 ## Denial of Service (DoS)
 
@@ -410,6 +414,11 @@ def handle_event("delete", %{"id" => id}, socket) do
 end
 ```
 
+**Further Reading:**
+
+- [OWASP Top Ten: Broken Access Control][owasp:top_10_access_control]
+
+
 [csp_nonces]: https://content-security-policy.com/nonce/
 [elixirforum:ecto_sql_injection]: https://elixirforum.com/t/ecto-adapters-sql-query-for-sql-query-leads-to-sql-injection-attack/34678/2
 [gh:sobelow]: https://github.com/nccgroup/sobelow
@@ -434,3 +443,9 @@ end
 [paraxial:sql_injection]: https://paraxial.io/blog/sql-injection
 [paraxial:xss_phoenix]: https://paraxial.io/blog/xss-phoenix
 [sobelow_conf]: https://www.youtube.com/watch?v=w3lKmFsmlvQ
+[owasp:top_10_injection]: https://owasp.org/Top10/A03_2021-Injection/
+[owasp:cheat_sheet_xss]: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+[owasp:cheat_sheet_csp]: https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
+[owasp:cheat_sheet_xsrf]: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
+[owasp:cheat_sheet_sqli]: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
+[owasp:top_10_access_control]: https://owasp.org/Top10/A01_2021-Broken_Access_Control/

docs/web_app_security_best_practices_beam/supply_chain_vulnerabilities.md

@@ -107,7 +107,7 @@ SBoMs in these formats for many languages, including [Elixir][hex:sbom] and
 [Erlang][hex:rebar3_sbom].
 
 Once produced, the SBoM can be ingested into a variety of tools, such as
-[OWASP Dependency-Track][owasp_dependency_track]. Ideally, SBoM generation and
+[Dependency-Track][dependency_track]. Ideally, SBoM generation and
 ingestion happens automatically as part of the project’s CI/CD pipeline.
 
 [github:mix_audit]: https://github.com/mirego/mix_audit
@@ -119,4 +119,4 @@ ingestion happens automatically as part of the project’s CI/CD pipeline.
 [mend_renovate]: https://www.mend.io/free-developer-tools/renovate/
 [hex:sbom]: https://hex.pm/packages/sbom
 [hex:rebar3_sbom]: https://hex.pm/packages/rebar3_sbom
-[owasp_dependency_track]: https://dependencytrack.org
+[dependency_track]: https://dependencytrack.org

docs/web_app_security_best_practices_beam/tls_vulnerabilities.md

@@ -103,10 +103,15 @@ HTTPS, blocking downgrade attacks with a plain HTTP URL. `Plug.SSL` and the
 Phoenix `force_ssl` Endpoint configuration take an hsts option that defaults to
 `true`.
 
+**Further Reading:**
+
+- [OWASP Cheat Sheet: Transport Layer Security][owasp:cheat_sheet_tls]
+
 [hexdoc:plug.ssl_configure]: https://hexdocs.pm/plug/Plug.SSL.html#configure/1
 [hex:finch]: https://hex.pm/packages/finch
 [hex:mint]: https://hex.pm/packages/mint
 [mozilla_ssl_confi_gen]: https://ssl-config.mozilla.org
 [mozilla_tls_recommendations]: https://wiki.mozilla.org/Security/Server_Side_TLS
 [ssl_labs]: https://www.ssllabs.com/ssltest/
 [strict_transport_security_header]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+[owasp:cheat_sheet_tls]: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html