review-1

Author: v-thpra

learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/3-broken-access-control.yml

@@ -21,10 +21,10 @@ quiz:
 
   - content: "The goal of the Open Web Application Security Project (OWASP) Top 10 report put together by security experts is to:"  
     choices:    
-    - content: "Create a standard for security benchmark of web applications."
+    - content: "Create a standard security benchmark for web applications."
       isCorrect: false
-      explanation: "Incorrect. OWASP Top 10 is often effort to be an 'awareness document' for educational purposes."
-    - content: "Improve awareness and promote recommended mitigation techniques to most critical security concerns for web app security."
+      explanation: "Incorrect. OWASP Top 10 is primarily an 'awareness document' for educational purposes."
+    - content: "Improve awareness and promote recommended mitigation techniques to the most critical security concerns for web app security."
       isCorrect: true
       explanation: "Correct."
     - content: "Be the only go-to report your organization would need to stay secured."

learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/5-injection.yml

@@ -18,15 +18,15 @@ quiz:
   questions: 
   - content: "In modern day .NET, how can the code fragment `string sql='SELECT * FROM users WHERE name = '\" + username + \"'` be written more securely?"
     choices:
-    - content: "Using an object relational mapper (ORM)."
+    - content: "By using an object relational mapper (ORM)."
       isCorrect: false
-      explanation: "Entity Framework with LINQ is a powerful way of querying many relational database engines."
-    - content: "Using stored procedures."
+      explanation: "Using Entity Framework with Language Integrated Query (LINQ) is a powerful way of querying many relational database engines."
+    - content: "By using stored procedures."
       isCorrect: false
       explanation: "Stored procedures are the most effective way of countering the SQL Injection vulnerability."
-    - content: "Using parameterized queries."
+    - content: "By using parameterized queries."
       isCorrect: false
       explanation: "Use parameterized queries where a direct SQL query must be used."
-    - content: "You should use at least one or combinations of few techniques, including Entity Framework and input validation"
+    - content: "You should use at least one or a combination of a few techniques, including Entity Framework and input validation."
       isCorrect: true
       explanation: "With username validation as a minimum, you can use any of the methods."

learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/8-vulnerable-outdated-components.yml

@@ -18,12 +18,12 @@ quiz:
   questions:
   - content: "How should the DevOps team maintain and review a list of third-party components used in the system for security vulnerabilities?"
     choices:
-    - content: "An Excel spreadsheet with Software Bill of Materials should be part of the design phase and any new green field project."
+    - content: "An Excel spreadsheet with Software Bill of Materials (SBOM) should be part of the design phase and any new green field project."
       isCorrect: false
       explanation: "SBOM is recommended, but you can apply it at any stage of the project in a more automated fashion."
-    - content: "Favor automated tools at any stage of the product lifecycle to track and monitor your dependencies."
+    - content: "By favoring automated tools at any stage of the product lifecycle for tracking and monitoring dependencies."
       isCorrect: true
       explanation: "Correct. The maintenance effort required to keep a list of dependencies up to date combined with their vulnerability checks can quickly become unmanageable."
-    - content: "There's no risk associated with third-party purchased and OSS components."
+    - content: "There's no risk associated with third-party purchased and Operational support system (OSS) components."
       isCorrect: false
-      explanation: "Even if your software makes the best effort in staying secure, an insecure or flow dependency may introduce security vulnerability in your system."
+      explanation: "Even if your software makes the best effort in staying secure, an insecure or flow dependency might introduce security vulnerability in your system."

learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/9-identification-authentication-failures​.yml

@@ -20,7 +20,7 @@ quiz:
     - content: "Find the authors of the change with git blame and ask them to fix it when they have some spare time."
       isCorrect: false
       explanation: "Chances are that whoever checked in the commit might no longer be part of your team or even the same company."
-    - content: "Change the password for the username referenced in connection string. Open a pull request with hardcoded connection string now being obtained from Azure KeyVault."
+    - content: "Change the password for the username referenced in the connection string. Open a pull request with the hardcoded connection string now being obtained from Azure KeyVault."
       isCorrect: true
       explanation: "Secret rotation is a good practice. Azure KeyVault is the go-to service for storing secrets, certificates, and keys and in most secure fashion. Avoid blame games."
     - content: "The connection string is only referenced in Git and code. No one can access it because only the web app is available to the public, so nothing needs to be done."

learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/includes/1-introduction.md

@@ -1,16 +1,16 @@
 
-This module explores OWASP TOP 10: 2021 edition. It covers the most common security weaknesses and how you as an app developer or architect can reduce the risk of security bugs infecting your systems. This module introduces techniques, tools, and best practices that can improve your product’s security posture.
+This module explores the OWASP TOP 10: 2021 edition. It covers the most common security weaknesses and how you as an app developer or architect can reduce the risk of security bugs infecting your systems. This module introduces techniques, tools, and best practices that can improve your product’s security posture.
 
 ### Threat landscape
 
-Implementing secure and high-quality software can be challenging. Malware, exploits, and many other cyber threats are on the rise. Attacks happen by exploiting vulnerabilities in an application. A vulnerability is just an unintended flaw or weakness in that application. How data is processed and stored and how services are configured are examples of where a vulnerability could be introduced.
+Implementing secure and high-quality software can be challenging. Cyber threats are on the rise, like malware, exploits, and many others. Attacks happen by exploiting vulnerabilities in an application. A vulnerability is just an unintended flaw or weakness in that application. How data is processed and stored and how services are configured are examples of where a vulnerability could be introduced.
 
 ![Diagram showing interconnected elements of modern system.](../media/appsec.png)
 
-News stories about a company being hacked or data being stolen and posted on dark web are now common. According to the 2021 Identity Theft Resource Center (ITRC) Annual Data Breach Report, the cost of a data breach increased by nearly 10% between 2020 and 2021. Data breaches are increasing and getting more costly.
+News stories about a company being hacked or data being stolen and posted on the dark web are now common. According to the 2021 Identity Theft Resource Center (ITRC) Annual Data Breach Report, the cost of a data breach increased by nearly 10% between 2020 and 2021. Data breaches are increasing and getting more costly.
 
 > [!IMPORTANT]
-> NIST defines [Software Vulnerability](https://csrc.nist.gov/glossary/term/Software_Vulnerability) as security flaw, glitch, or weakness found in software code that could be exploited by an attacker (threat source).
+> The National Institute of Standards and Technology (NIST) defines [Software Vulnerability](https://csrc.nist.gov/glossary/term/Software_Vulnerability) as "a security flaw, glitch, or weakness found in software code that could be exploited by an attacker (threat source)."
 
 ### The world of application security
 
@@ -21,20 +21,20 @@ Application Security, often referred to as AppSec, is the process of finding, fi
 ![Diagram showing world's biggest data breaches and hacks.](../media/worlds-breaches.png)
 [Image source](https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/)
 
-AppSec logically falls under the wider context of **Information Security (InfoSec)**, term covering protection of information and systems from unauthorized access, use, disruption, or destruction. InfoSec also covers areas like as network security, intrusion detection, digital forensics, and governance, risk, and compliance, for example.
+AppSec logically falls under the wider context of **Information Security (InfoSec)**, a term covering the protection of information and systems from unauthorized access, use, disruption, or destruction. InfoSec also covers areas like network security, intrusion detection, digital forensics, and governance, risk, and compliance, for example.
 
 **The Security Development Lifecycle (SDL)** consists of a set of practices that support security assurance and compliance requirements. The SDL helps developers build more secure software by reducing the number and severity of vulnerabilities in software.
 
 **DevSecOps** is an evolution in the way development organizations approach security by introducing a security-first mindset culture and automating security into every phase of the software-development lifecycle from design to delivery.​
 
 ### Meet the team
 
-Suppose you're joining a new IT company with an established team working on a legacy software. Your team's main focus is maintaining, supporting, and developing new features of a rich web application that customers all around the world use. The website and its underlying infrastructure have only recently been migrated to Microsoft Azure cloud.
+Suppose you're joining a new IT company with an established team working on a legacy software. Your team's main focus is maintaining, supporting, and developing new features of a rich web application that customers all around the world use. The website and its underlying infrastructure were only recently migrated to Microsoft Azure cloud.
 
 The team you're part of has a mix of talent, including early-career and seasoned enterprise developers.
 
-In the past, your team was slowed down by the manual-release process that proved to be unreliable, error-prone, and heavy on manual interaction. As part of its cloud migration, your team is looking to adopt modern CI/CD automation.
+In the past, a manual-release process slowed down your team and proved to be unreliable, error-prone, and heavy on manual interaction. As part of its cloud migration, your team is looking to adopt modern CI/CD automation.
 
-The company hasn't fully grasped the concepts behind secure DevOps practices. With new personnel onboarded, the company is looking to spread security best practices not only within the team, but the company as a whole.
+The company has yet to fully grasp the concepts behind secure DevOps practices. With new personnel onboarded, the company is looking to spread security best practices not only within the team, but the company as a whole.
 
 Your team lead asked you to conduct design and code reviews of a team-owned codebase, with extra attention paid to the solution's security aspects. You discovered the OWASP report, which you plan to use as a reference in your code review.

learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/includes/2-what-is-owasp-top-10.md

@@ -1,5 +1,4 @@
-
-As application complexity increases, so does the effort of making it secure. Modern applications (in contrast with single-project monolith legacy applications) have many dependencies, including external libraries, services for hosting, building, and releasing, to name a few. None of these services are simple "plug and play" affairs. Developers need to understand them and know how to configure and implement the flows and processes securely in their own code.
+As application complexity increases, so does the effort of making it secure. Modern applications, in contrast with single-project monolith legacy applications, have many dependencies. Including, external libraries, services for hosting, building, and releasing, to name a few. None of these services are simple "plug and play" affairs. Developers need to understand them and know how to configure and implement the flows and processes securely in their own code.
 
 :::row:::
    :::column span="2":::
@@ -14,7 +13,7 @@ As application complexity increases, so does the effort of making it secure. Mod
    :::column-end:::
 :::row-end:::
 
-Although security is everyone’s job, it's important to remember that not everyone needs to be a security expert nor strive to become a proficient penetration tester. However, ensuring everyone understands the attacker's perspective, their goals, and the art of the possible will help capture the attention of everyone and raise the collective knowledge bar.
+Although security is everyone’s job, it's important to remember that not everyone needs to be a security expert nor strive to become a proficient penetration tester. However, ensuring everyone understands the attacker's perspective, their goals, and the art of the possible, helps capture the attention of everyone and raise the collective knowledge bar.
 
 ### What is OWASP?
 

learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/includes/3-broken-access-control.md

@@ -1,5 +1,5 @@
 
-Recall that you recently joined a team at an IT software company that's tasked you with conducting a design and code review of the team-owned codebases. As you onboard to your new team and explore the codebase, you discover an ASP.NET Blazor web project. With OWASP Top 10 in mind, you set off on a deep dive into the code with your security lenses on.
+Recall that you recently joined a team at an IT software company who tasked you with conducting a design and code review of the team-owned codebases. As you onboard to your new team and explore the codebase, you discover an ASP.NET Blazor web project. With OWASP Top 10 in mind, you set off on a deep dive into the code with your security lenses on.
 
 You start at the top of the OWASP Top 10 list with *#1: Broken Access Control*. This category refers to incidents where a user who shouldn’t have permission to access that data viewed confidential information.
 
@@ -11,8 +11,8 @@ Let's consider a ASP.NET Core controller. A controller without any authorization
 :::row:::
     :::column:::
         Plain ASP.NET controller with no authorization attributes, no access restrictions applied.
-```csharp
 
+```csharp
 public class AccountController : Controller​
 {​
     public ActionResult Login()​
@@ -27,12 +27,12 @@ public class AccountController : Controller​
     {
     }
 }
-
 ```
 
 :::column-end:::
     :::column:::
         Controller with authorization attributes, based on policy or role assignments. Authorized caller is able to invoke the `GetCitizenTaxId` method.
+
 ```csharp
 [Authorize(Policy="", Roles=""]​
 public class AccountController : Controller​
@@ -56,23 +56,26 @@ public class AccountController : Controller​
 :::column-end:::
 :::row-end:::
 
-Similarly, the ASP.NET Minimal API supports the attribute decoration (Lambda *HTTP get* method with `[Authorize]` attribute), policy (`AdminsOnly`) and claim (`admin`) authorization, as shown here:
+Similarly, the ASP.NET Minimal API supports the attribute decoration (Lambda *HTTP get* method with `[Authorize]` attribute), policy (`AdminsOnly`), and claim (`admin`) authorization, as shown here:
 
->  ```csharp
-> var builder = WebApplication.CreateBuilder(args);​
->// Policy and claim use below
->builder.Services.AddAuthorization(o => o.AddPolicy("AdminsOnly", b => b.RequireClaim("admin", "true")));
-> var connectionString = builder.Configuration.GetConnectionString("DefaultConnection");​
-> builder.Services.AddDbContext<ApplicationDbContext>(options => options.UseSqlServer(connectionString)); ​
-> builder.Services.AddDefaultIdentity<IdentityUser>(options => options.SignIn.RequireConfirmedAccount = true).AddEntityFrameworkStores<ApplicationDbContext>(); ​
-> var app = builder.Build(); ​
-> app.UseAuthorization();​
-> // Attribute use below
-> app.MapGet("/auth",  [Authorize] () => "This endpoint requires authorization.");​
-> app.MapGet("/", () => "This endpoint doesn't require authorization.");​
-> app.Run();
+```csharp
+var builder = WebApplication.CreateBuilder(args);​
+
+// Policy and claim use below
+builder.Services.AddAuthorization(o => o.AddPolicy("AdminsOnly", b => b.RequireClaim("admin", "true")));
+var connectionString = builder.Configuration.GetConnectionString("DefaultConnection");​
+builder.Services.AddDbContext<ApplicationDbContext>(options => options.UseSqlServer(connectionString)); ​
+builder.Services.AddDefaultIdentity<IdentityUser>(options => options.SignIn.RequireConfirmedAccount = true).AddEntityFrameworkStores<ApplicationDbContext>(); ​
+var app = builder.Build(); ​
+app.UseAuthorization();​
+
+// Attribute use below
+app.MapGet("/auth",  [Authorize] () => "This endpoint requires authorization.");​
+app.MapGet("/", () => "This endpoint doesn't require authorization.");​
+app.Run();
+```
 
-Your application's user interface should also reflect the user's authentication (the user is who they say they are) and authorization state (whether the user is allowed to access certain information). Here, too, the OWASP Top 10 framework has you covered. ASP.NET Blazor's razor syntax supports conditionally displayed components depending on authorization status. The `AutorizeView` component selectively displays UI content based on user's authorized status.
+Your application's user interface should also reflect the user's authentication (the user is who they say they are) and authorization state (whether the user is allowed to access certain information). Here, too, you're covered by the OWASP Top 10 framework. ASP.NET Blazor's razor syntax supports conditionally displayed components depending on authorization status. The `AutorizeView` component selectively displays UI content based on user's authorized status.
 
 ```csharp
 <AuthorizeView Roles="admin, superuser">​
@@ -100,7 +103,7 @@ The `SecureMethod` is accessible once the user is authorized. Because the `Autor
 
 ### Code review notes
 
-You and your team have considered the broken access control risk and implemented Claims-based and Policy-based authorization in your web app. Knowing the app gets deployed to Azure, other best practices include:
+You and your team considered the broken access control risk and implemented Claims-based and Policy-based authorization in your web app. Knowing the app gets deployed to Azure, other best practices include:
 
-- Authorize users on all externally facing endpoints.
-- Use role-based and policy-based authorization in your application. ASP.NET has many ways to authorize a user​ based on their role or claims.
+- Authorizing users on all externally facing endpoints.
+- Using role-based and policy-based authorization in your application. ASP.NET has many ways to authorize a user​ based on their role or claims.

learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/includes/4-cryptographic-failures.md

@@ -15,7 +15,7 @@ Your web applications deal with user accounts and data, but how do you securely
 
 ### Encryption
 
-To securely encrypt a value like a string or integer, you can use symmetric or asymmetric encryption. To encrypt data with a symmetric-key algorithm, you can use the Advanced Encryption Standard (AES). In the next example, we create new instance of the `Aes` class and use it to generate a new key and initialization vector (IV).​ We use the AES to encrypt any type of managed stream. The stream is then wrapped with `CryptoStream`.
+To securely encrypt a value like a string or integer, you can use symmetric or asymmetric encryption. To encrypt data with a symmetric-key algorithm, you can use the Advanced Encryption Standard (AES). In the next example, we create a new instance of the `Aes` class and use it to generate a new key and initialization vector (IV).​ We use the AES to encrypt any type of managed stream. The stream is then wrapped with `CryptoStream`.
 
  ```csharp
 Aes aes = Aes.Create();​