Merge pull request #51014 from v-thpra/azure-triage-fix-1058583

Technical Review 1058583: Guide to Secure .NET Development with OWASP Top 10

Author: JillGrant615

learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/1-introduction.yml

@@ -4,7 +4,7 @@ title: Introduction
 metadata:
   title: Introduction
   description: "Overview of OWASP Top 10 in 2021 for .NET Developers. What is OWASP Top 10?"
-  ms.date: 05/31/2024
+  ms.date: 06/18/2025
   author: obrocki
   ms.author: dawidobrocki
   ms.topic: unit

learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/10-software-data-integrity-failures​.yml

@@ -4,7 +4,7 @@ title: Software and data integrity failures
 metadata:
   title: Software and data integrity failures
   description: "OWASP Top 10 for .NET Developers. Software and data integrity failures."
-  ms.date: 05/31/2024
+  ms.date: 06/18/2025
   author: obrocki
   ms.author: dawidobrocki
   ms.topic: unit
@@ -20,13 +20,13 @@ quiz:
     choices:
     - content: "Static application security testing (SAST)."
       isCorrect: false
-      explanation: "Static analysis focuses on code prior to its deployment."
+      explanation: "Static analysis focuses on code before its deployment."
     - content: "Software Composition Analysis (SCA)."
       isCorrect: false
-      explanation: "Composition analysis focuses on code prior to its deployment."
+      explanation: "Composition analysis focuses on code before its deployment."
     - content: "Dynamic Application Security Testing (DAST)."
       isCorrect: true
       explanation: "Correct. Dynamic analysis can inspect and report on infrastructure configuration and expose its weak points."
     - content: "Chaos testing."
       isCorrect: false
-      explanation: "This is a helpful technique in reliability and disaster recovery testing, but not quite right for this situation."
+      explanation: "Chaos testing is a helpful technique in reliability and disaster recovery testing, but not the best choice for this situation."

learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/11-security-logging-monitoring​.yml

@@ -4,7 +4,7 @@ title: Security logging and monitoring
 metadata:
   title: Security logging and monitoring
   description: "OWASP Top 10 for .NET Developers. Security logging and monitoring."
-  ms.date: 05/31/2024
+  ms.date: 06/18/2025
   author: obrocki
   ms.author: dawidobrocki
   ms.topic: unit
@@ -15,12 +15,12 @@ content: |
 quiz:
   title: Check your knowledge
   questions:  
-  - content: "Which of these statements would you consider secure logging best practices?"
+  - content: "Which of these statements would you consider to be secure logging best practices?"
     choices:
     - content: "Log all events occurring in the system and store the logs in an easily accessible public location."
       isCorrect: false
       explanation: "Overlogging can add noise when diagnosing issues. Logs should be protected and not exposed to the public."
-    - content: "Log user and password of all failed authentication attempts."
+    - content: "Log the user and password of all failed authentication attempts."
       isCorrect: false
       explanation: "Not quite. Failed authentication attempts should be logged and audited. Logging passwords is a security risk."    
     - content: "Sanitize logs from sensitive information and guard access to logged information."

learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/12-server-side-request-forgery.yml

@@ -4,7 +4,7 @@ title: Server-side request forgery
 metadata:
   title: Server-side request forgery
   description: "OWASP Top 10 for .NET Developers. Server-side request forgery."
-  ms.date: 05/31/2024
+  ms.date: 06/18/2025
   author: obrocki
   ms.author: dawidobrocki
   ms.topic: unit
@@ -16,7 +16,7 @@ content: |
 quiz:
   title: Check your knowledge
   questions:   
-  - content: "Is performing input validation on the client side only considered to be best practice?"
+  - content: "Is it considered to be best practice to perform input validation on the client side only?"
     choices:
     - content: "Yes."
       isCorrect: false

learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/13-summary.yml

@@ -4,7 +4,7 @@ title: Summary
 metadata:
   title: Summary
   description: "OWASP Top 10 for .NET Developers. Summary of what OWASP Top 10 means to .NET developers."
-  ms.date: 05/31/2024
+  ms.date: 06/18/2025
   author: obrocki
   ms.author: dawidobrocki
   ms.topic: unit

learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/2-what-is-owasp-top-10.yml

@@ -4,7 +4,7 @@ title: What is OWASP Top 10?
 metadata:
   title: What is OWASP Top 10?
   description: "Overview of OWASP Top 10 in 2021 for .NET Developers. What is OWASP Top 10?"
-  ms.date: 05/31/2024
+  ms.date: 06/18/2025
   author: obrocki
   ms.author: dawidobrocki
   ms.topic: unit

learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/3-broken-access-control.yml

@@ -4,7 +4,7 @@ title: Broken access control
 metadata:
   title: Broken access control
   description: "OWASP Top 10 for .NET Developers. Broken Access Control."
-  ms.date: 05/31/2024
+  ms.date: 06/18/2025
   author: obrocki
   ms.author: dawidobrocki
   ms.topic: unit
@@ -21,16 +21,15 @@ quiz:
 
   - content: "The goal of the Open Web Application Security Project (OWASP) Top 10 report put together by security experts is to:"  
     choices:    
-    - content: "Create a standard for security benchmark of web applications."
+    - content: "Create a standard security benchmark for web applications."
       isCorrect: false
-      explanation: "Incorrect. OWASP Top 10 is often effort to be an 'awareness document' for educational purposes."
-    - content: "Improve awareness and promote recommended mitigation techniques to most critical security concerns for web app security."
+      explanation: "Incorrect. OWASP Top 10 is primarily an 'awareness document' for educational purposes."
+    - content: "Improve awareness and promote recommended mitigation techniques to the most critical security concerns for web app security."
       isCorrect: true
       explanation: "Correct."
     - content: "Be the only go-to report your organization would need to stay secured."
       isCorrect: false
       explanation: "Incorrect. There are many security reports beyond OWASP, with SANS CWE Top 25 being one of them."
-
   - content: "What is Broken Access Control?"  
     choices:
     - content: "A vulnerability that allows an attacker to access restricted information."

learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/4-cryptographic-failures.yml

@@ -4,7 +4,7 @@ title: Cryptographic failures
 metadata:
   title: Cryptographic failures
   description: "OWASP Top 10 for .NET Developers. Cryptographic failures."
-  ms.date: 05/31/2024
+  ms.date: 06/18/2025
   author: obrocki
   ms.author: dawidobrocki
   ms.topic: unit
@@ -23,9 +23,7 @@ quiz:
       explanation: "Incorrect. Rely on industry-standard encryption and hashing implementations. Review the documentation to ensure you're using strong algorithms."
     - content: "No."
       isCorrect: true
-      explanation: "Correct. Rely on industry-standard encryption and hashing implementations. Review the documentation to ensure you're using strong algorithms."    
-
-
+      explanation: "Correct. Rely on industry-standard encryption and hashing implementations. Review the documentation to ensure you're using strong algorithms."  
   - content: "The process of converting data to a different format for storage, transmission, compression, or decompression best describes:"  
     choices:    
     - content: "Encryption."

learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/5-injection.yml

@@ -4,7 +4,7 @@ title: Injection
 metadata:
   title: Injection
   description: "OWASP Top 10 for .NET Developers. Injection."
-  ms.date: 05/31/2024
+  ms.date: 06/18/2025
   author: obrocki
   ms.author: dawidobrocki
   ms.topic: unit
@@ -18,15 +18,15 @@ quiz:
   questions: 
   - content: "In modern day .NET, how can the code fragment `string sql='SELECT * FROM users WHERE name = '\" + username + \"'` be written more securely?"
     choices:
-    - content: "Using an object relational mapper (ORM)."
+    - content: "By using an object relational mapper (ORM)."
       isCorrect: false
-      explanation: "Entity Framework with LINQ is a powerful way of querying many relational database engines."
-    - content: "Using stored procedures."
+      explanation: "Using Entity Framework with Language Integrated Query (LINQ) is a powerful way of querying many relational database engines."
+    - content: "By using stored procedures."
       isCorrect: false
       explanation: "Stored procedures are the most effective way of countering the SQL Injection vulnerability."
-    - content: "Using parameterized queries."
+    - content: "By using parameterized queries."
       isCorrect: false
       explanation: "Use parameterized queries where a direct SQL query must be used."
-    - content: "You should use at least one or combinations of few techniques, including Entity Framework and input validation"
+    - content: "You should use at least one or a combination of a few techniques, including Entity Framework and input validation."
       isCorrect: true
       explanation: "With username validation as a minimum, you can use any of the methods."

learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/6-insecure-design.yml

@@ -4,7 +4,7 @@ title: Insecure design
 metadata:
   title: Insecure design
   description: "OWASP Top 10 for .NET Developers. Insecure design."
-  ms.date: 05/31/2024
+  ms.date: 06/18/2025
   author: obrocki
   ms.author: dawidobrocki
   ms.topic: unit