Merge pull request #111889 from craigcaseyMSFT/vcraic0416

fix broken links from OPS report

Author: ttorble

articles/media-services/previous/media-services-use-osmf-smooth-streaming-client-plugin.md

@@ -328,7 +328,7 @@ package
 The Smooth Streaming for OSMF dynamic plugin is compatible with [Strobe Media Playback (SMP)](http://osmf.org/strobe_mediaplayback.html). You can use the SS for OSMF plugin to add Smooth Streaming content playback to SMP. To do this, copy "MSAdaptiveStreamingPlugin-v1.0.3-osmf2.0.swf" under a web server for HTTP load using the following steps:
 
 1. Browse the [Strobe Media Playback setup page](http://osmf.org/dev/2.0gm/setup.html). 
-2. Set the src to a Smooth Streaming source, (e.g. http://devplatem.vo.msecnd.net/Sintel/Sintel_H264.ism/manifest) 
+2. Set the src to a Smooth Streaming source, (e.g. http:\//devplatem.vo.msecnd.net/Sintel/Sintel_H264.ism/manifest) 
 3. Make the desired configuration changes and click Preview and Update.
 
    **Note** Your content web server needs a valid crossdomain.xml. 

articles/remote-rendering/how-tos/tokens.md

@@ -19,7 +19,7 @@ This article describes how to create such access token.
 
 ## Token service REST API
 
-To create access tokens, the *Secure Token Service* provides a single REST API. The URL for the ARR STS service is [https://sts.mixedreality.azure.com](https://sts.mixedreality.azure.com).
+To create access tokens, the *Secure Token Service* provides a single REST API. The URL for the ARR STS service is https:\//sts.mixedreality.azure.com.
 
 ### 'Get token' request
 

articles/security/develop/secure-develop.md

@@ -49,35 +49,35 @@ common web application vulnerabilities. Untrusted data is a vehicle for
 injection attacks. Input for your application includes parameters in the
 URL, input from the user, data from the database or from an API, and
 anything that is passed in that a user could potentially manipulate. An
-application should [validate](https://www.owasp.org/index.php/OWASP_Proactive_Controls_2016#4:_Validate_All_Inputs) that data is syntactically and semantically valid before the application uses the data in any way (including displaying it back to the user).
+application should [validate](https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs) that data is syntactically and semantically valid before the application uses the data in any way (including displaying it back to the user).
 
 Validate input early in the data flow to ensure that only properly
-formed data enters the workflow. You don’t want malformed data
+formed data enters the workflow. You don't want malformed data
 persisting in your database or triggering a malfunction in a downstream
 component.
 
 Blacklisting and whitelisting are two general approaches to performing
 input syntax validation:
 
   - Blacklisting attempts to check that a given user input doesn't
-    contain “known to be malicious” content.
+    contain "known to be malicious" content.
 
   - Whitelisting attempts to check that a given user input matches a set
-    of “known good” inputs. Character-based whitelisting is a form of
+    of "known good" inputs. Character-based whitelisting is a form of
     whitelisting where an application checks that user input contains
-    only “known good” characters or that input matches a known format.
+    only "known good" characters or that input matches a known format.
     For example, this might involve checking that a username contains
     only alphanumeric characters or that it contains exactly two
     numbers.
 
 Whitelisting is the preferred approach for building secure software.
-Blacklisting is prone to error because it’s impossible to think of a
+Blacklisting is prone to error because it's impossible to think of a
 complete list of potentially bad input.
 
 Do this work on the server, not on the client side (or on the server and
 on the client side).
 
-### Verify your application’s outputs
+### Verify your application's outputs
 
 Any output that you present either visually or within a document should
 always be encoded and escaped. [Escaping](https://www.owasp.org/index.php/Injection_Theory#Escaping_.28aka_Output_Encoding.29), also known as *output encoding*, is used to help ensure that untrusted data isn't a vehicle for an injection attack. Escaping, combined with data validation, provides layered defenses to increase security of the
@@ -114,7 +114,7 @@ See [removing standard server headers on Azure websites](https://azure.microsoft
 
 ### Segregate your production data
 
-Your production data, or “real” data, should not be used for
+Your production data, or "real" data, should not be used for
 development, testing, or any other purpose than what the business
 intended. A masked ([anonymized](https://en.wikipedia.org/wiki/Data_anonymization)) dataset should be used for all development and testing.
 
@@ -147,7 +147,7 @@ If your application allows [file uploads](https://www.owasp.org/index.php/Unrest
 
 Antimalware protection helps identify and remove viruses, spyware, and
 other malicious software. You can install [Microsoft Antimalware](../fundamentals/antimalware.md)
-or a Microsoft partner’s endpoint protection solution ([Trend Micro](https://www.trendmicro.com/azure/),
+or a Microsoft partner's endpoint protection solution ([Trend Micro](https://www.trendmicro.com/azure/),
 [Broadcom](https://www.broadcom.com/products),
 [McAfee](https://www.mcafee.com/us/products.aspx), [Windows Defender](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10),
 and [Endpoint Protection](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-protection)).
@@ -167,7 +167,7 @@ like the Temporary Internet Files folder, in the case of Internet
 Explorer. When these pages are referred to again, the browser displays
 the pages from its cache. If sensitive information (address, credit card
 details, Social Security number, username) is displayed to the user, the
-information might be stored in the browser’s cache and be retrievable by
+information might be stored in the browser's cache and be retrievable by
 examining the browser's cache or by simply pressing the browser's
 **Back** button.
 
@@ -205,7 +205,7 @@ tools analyze source code or compiled versions of code when the code is
 not executing in order to find security flaws.
 
 Perform DAST, preferably with the assistance of a security professional
-(a [penetration tester](../fundamentals/pen-testing.md) or vulnerability assessor). If a security professional isn't available, you can perform DAST yourself with a web proxy scanner and some training. Plug in a DAST scanner early on to ensure that you don’t introduce obvious security issues into your code. See the [OWASP](https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools) site for a list of web application vulnerability scanners.
+(a [penetration tester](../fundamentals/pen-testing.md) or vulnerability assessor). If a security professional isn't available, you can perform DAST yourself with a web proxy scanner and some training. Plug in a DAST scanner early on to ensure that you don't introduce obvious security issues into your code. See the [OWASP](https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools) site for a list of web application vulnerability scanners.
 
 ### Perform fuzz testing
 

articles/security/develop/secure-web-app.md

@@ -801,7 +801,7 @@ After you add the Azure AD configuration and secrets to Key Vault, users can be
 In the app code, this is handled by the Azure Active Directory Authentication Library (ADAL).
 
 After the secrets are in Key Vault and the application has access to the secrets and the database, the application service can be reached through the gateway's
-application URL (https://GATEWAY_HASH.cloudapp.net), which you can get from its blade.
+application URL (https:\//GATEWAY_HASH.cloudapp.net), which you can get from its blade.
 
 If, when you sign in to Azure AD, you get an error that says "User is not registered in the directory you're trying to log into," you need to add the user. To add the user, go to the **Users** tab of Azure AD and add the user manually by entering their details or invite the user by entering their email address as a guest user to Azure AD in the **Invite Guest** blade.
 
@@ -976,7 +976,7 @@ After you fix some of the code errors found by the linting tools, you have more
 
 ### Find and fix vulnerabilities in app dependencies
 
-To find and fix application dependencies, you can use [OWASP's Dependency Check](https://www.owasp.org/index.php/OWASP_Dependency_Check).
+To find and fix application dependencies, you can use [OWASP's Dependency Check](https://owasp.org/www-project-dependency-check/).
 
 Safety is a similar application that checks dependencies. You can find it on [GitHub](https://github.com/pyupio/safety). Safety scans for vulnerabilities found in well-known vulnerability databases.
 

articles/security/develop/threat-modeling-tool-communication-security.md

@@ -144,7 +144,7 @@ This rule works by returning an HTTP status code of 301 (permanent redirect) whe
 | **SDL Phase**               | Build |  
 | **Applicable Technologies** | Generic |
 | **Attributes**              | N/A  |
-| **References**              | [OWASP HTTP Strict Transport Security Cheat Sheet](https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet) |
+| **References**              | [OWASP HTTP Strict Transport Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html) |
 | **Steps** | <p>HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.</p><p>To implement HSTS, the following response header has to be configured for a website globally, either in code or in config. Strict-Transport-Security: max-age=300; includeSubDomains HSTS addresses the following threats:</p><ul><li>User bookmarks or manually types `https://example.com` and is subject to a man-in-the-middle attacker: HSTS automatically redirects HTTP requests to HTTPS for the target domain</li><li>Web application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP: HSTS automatically redirects HTTP requests to HTTPS for the target domain</li><li>A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate: HSTS does not allow a user to override the invalid certificate message</li></ul>|
 
 ## <a id="sqlserver-validation"></a>Ensure SQL server connection encryption and certificate validation
@@ -156,7 +156,7 @@ This rule works by returning an HTTP status code of 301 (permanent redirect) whe
 | **Applicable Technologies** | SQL Azure  |
 | **Attributes**              | SQL Version - V12 |
 | **References**              | [Best Practices on Writing Secure Connection Strings for SQL Database](https://social.technet.microsoft.com/wiki/contents/articles/2951.windows-azure-sql-database-connection-security.aspx#best) |
-| **Steps** | <p>All communications between SQL Database and a client application are encrypted using Secure Sockets Layer (SSL) at all times. SQL Database doesn’t support unencrypted connections. To validate certificates with application code or tools, explicitly request an encrypted connection and do not trust the server certificates. If your application code or tools do not request an encrypted connection, they will still receive encrypted connections</p><p>However, they may not validate the server certificates and thus will be susceptible to "man in the middle" attacks. To validate certificates with ADO.NET application code, set `Encrypt=True` and `TrustServerCertificate=False` in the database connection string. To validate certificates via SQL Server Management Studio, open the Connect to Server dialog box. Click Encrypt connection on the Connection Properties tab</p>|
+| **Steps** | <p>All communications between SQL Database and a client application are encrypted using Secure Sockets Layer (SSL) at all times. SQL Database doesn't support unencrypted connections. To validate certificates with application code or tools, explicitly request an encrypted connection and do not trust the server certificates. If your application code or tools do not request an encrypted connection, they will still receive encrypted connections</p><p>However, they may not validate the server certificates and thus will be susceptible to "man in the middle" attacks. To validate certificates with ADO.NET application code, set `Encrypt=True` and `TrustServerCertificate=False` in the database connection string. To validate certificates via SQL Server Management Studio, open the Connect to Server dialog box. Click Encrypt connection on the Connection Properties tab</p>|
 
 ## <a id="encrypted-sqlserver"></a>Force Encrypted communication to SQL server
 
@@ -210,7 +210,7 @@ This rule works by returning an HTTP status code of 301 (permanent redirect) whe
 | **SDL Phase**               | Build |  
 | **Applicable Technologies** | Generic, Windows Phone |
 | **Attributes**              | N/A  |
-| **References**              | [Certificate and Public Key Pinning](https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#.Net) |
+| **References**              | [Certificate and Public Key Pinning](https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning) |
 | **Steps** | <p>Certificate pinning defends against Man-In-The-Middle (MITM) attacks. Pinning is the process of associating a host with their expected X509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or 'pinned' to the host. </p><p>Thus, when an adversary attempts to do SSL MITM attack, during SSL handshake the key from attacker's server will be different from the pinned certificate's key, and the request will be discarded, thus preventing MITM Certificate pinning can be achieved by implementing ServicePointManager's `ServerCertificateValidationCallback` delegate.</p>|
 
 ### Example