review-2

v-thpra · v-thpra · commit 85a7104fb77f · 2025-06-18T15:04:41.000-07:00
diff --git a/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/1-introduction.yml b/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/1-introduction.yml
@@ -4,7 +4,7 @@ title: Introduction
 metadata:
   title: Introduction
   description: "Overview of OWASP Top 10 in 2021 for .NET Developers. What is OWASP Top 10?"
-  ms.date: 05/31/2024
+  ms.date: 06/18/2025
   author: obrocki
   ms.author: dawidobrocki
   ms.topic: unit
diff --git a/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/10-software-data-integrity-failures​.yml b/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/10-software-data-integrity-failures​.yml
@@ -4,7 +4,7 @@ title: Software and data integrity failures
 metadata:
   title: Software and data integrity failures
   description: "OWASP Top 10 for .NET Developers. Software and data integrity failures."
-  ms.date: 05/31/2024
+  ms.date: 06/18/2025
   author: obrocki
   ms.author: dawidobrocki
   ms.topic: unit
@@ -20,13 +20,13 @@ quiz:
     choices:
     - content: "Static application security testing (SAST)."
       isCorrect: false
-      explanation: "Static analysis focuses on code prior to its deployment."
+      explanation: "Static analysis focuses on code before its deployment."
     - content: "Software Composition Analysis (SCA)."
       isCorrect: false
-      explanation: "Composition analysis focuses on code prior to its deployment."
+      explanation: "Composition analysis focuses on code before its deployment."
     - content: "Dynamic Application Security Testing (DAST)."
       isCorrect: true
       explanation: "Correct. Dynamic analysis can inspect and report on infrastructure configuration and expose its weak points."
     - content: "Chaos testing."
       isCorrect: false
-      explanation: "This is a helpful technique in reliability and disaster recovery testing, but not quite right for this situation."
+      explanation: "Chaos testing is a helpful technique in reliability and disaster recovery testing, but not the best choice for this situation."
diff --git a/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/11-security-logging-monitoring​.yml b/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/11-security-logging-monitoring​.yml
@@ -4,7 +4,7 @@ title: Security logging and monitoring
 metadata:
   title: Security logging and monitoring
   description: "OWASP Top 10 for .NET Developers. Security logging and monitoring."
-  ms.date: 05/31/2024
+  ms.date: 06/18/2025
   author: obrocki
   ms.author: dawidobrocki
   ms.topic: unit
@@ -15,12 +15,12 @@ content: |
 quiz:
   title: Check your knowledge
   questions:  
-  - content: "Which of these statements would you consider secure logging best practices?"
+  - content: "Which of these statements would you consider to be secure logging best practices?"
     choices:
     - content: "Log all events occurring in the system and store the logs in an easily accessible public location."
       isCorrect: false
       explanation: "Overlogging can add noise when diagnosing issues. Logs should be protected and not exposed to the public."
-    - content: "Log user and password of all failed authentication attempts."
+    - content: "Log the user and password of all failed authentication attempts."
       isCorrect: false
       explanation: "Not quite. Failed authentication attempts should be logged and audited. Logging passwords is a security risk."    
     - content: "Sanitize logs from sensitive information and guard access to logged information."
diff --git a/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/12-server-side-request-forgery.yml b/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/12-server-side-request-forgery.yml
@@ -4,7 +4,7 @@ title: Server-side request forgery
 metadata:
   title: Server-side request forgery
   description: "OWASP Top 10 for .NET Developers. Server-side request forgery."
-  ms.date: 05/31/2024
+  ms.date: 06/18/2025
   author: obrocki
   ms.author: dawidobrocki
   ms.topic: unit
@@ -16,7 +16,7 @@ content: |
 quiz:
   title: Check your knowledge
   questions:   
-  - content: "Is performing input validation on the client side only considered to be best practice?"
+  - content: "Is it considered to be best practice to perform input validation on the client side only?"
     choices:
     - content: "Yes."
       isCorrect: false
diff --git a/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/13-summary.yml b/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/13-summary.yml
@@ -4,7 +4,7 @@ title: Summary
 metadata:
   title: Summary
   description: "OWASP Top 10 for .NET Developers. Summary of what OWASP Top 10 means to .NET developers."
-  ms.date: 05/31/2024
+  ms.date: 06/18/2025
   author: obrocki
   ms.author: dawidobrocki
   ms.topic: unit
diff --git a/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/2-what-is-owasp-top-10.yml b/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/2-what-is-owasp-top-10.yml
@@ -4,7 +4,7 @@ title: What is OWASP Top 10?
 metadata:
   title: What is OWASP Top 10?
   description: "Overview of OWASP Top 10 in 2021 for .NET Developers. What is OWASP Top 10?"
-  ms.date: 05/31/2024
+  ms.date: 06/18/2025
   author: obrocki
   ms.author: dawidobrocki
   ms.topic: unit
diff --git a/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/3-broken-access-control.yml b/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/3-broken-access-control.yml
@@ -4,7 +4,7 @@ title: Broken access control
 metadata:
   title: Broken access control
   description: "OWASP Top 10 for .NET Developers. Broken Access Control."
-  ms.date: 05/31/2024
+  ms.date: 06/18/2025
   author: obrocki
   ms.author: dawidobrocki
   ms.topic: unit
@@ -30,7 +30,6 @@ quiz:
     - content: "Be the only go-to report your organization would need to stay secured."
       isCorrect: false
       explanation: "Incorrect. There are many security reports beyond OWASP, with SANS CWE Top 25 being one of them."
-
   - content: "What is Broken Access Control?"  
     choices:
     - content: "A vulnerability that allows an attacker to access restricted information."
diff --git a/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/4-cryptographic-failures.yml b/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/4-cryptographic-failures.yml
@@ -4,7 +4,7 @@ title: Cryptographic failures
 metadata:
   title: Cryptographic failures
   description: "OWASP Top 10 for .NET Developers. Cryptographic failures."
-  ms.date: 05/31/2024
+  ms.date: 06/18/2025
   author: obrocki
   ms.author: dawidobrocki
   ms.topic: unit
@@ -23,9 +23,7 @@ quiz:
       explanation: "Incorrect. Rely on industry-standard encryption and hashing implementations. Review the documentation to ensure you're using strong algorithms."
     - content: "No."
       isCorrect: true
-      explanation: "Correct. Rely on industry-standard encryption and hashing implementations. Review the documentation to ensure you're using strong algorithms."    
-
-
+      explanation: "Correct. Rely on industry-standard encryption and hashing implementations. Review the documentation to ensure you're using strong algorithms."  
   - content: "The process of converting data to a different format for storage, transmission, compression, or decompression best describes:"  
     choices:    
     - content: "Encryption."
diff --git a/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/5-injection.yml b/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/5-injection.yml
@@ -4,7 +4,7 @@ title: Injection
 metadata:
   title: Injection
   description: "OWASP Top 10 for .NET Developers. Injection."
-  ms.date: 05/31/2024
+  ms.date: 06/18/2025
   author: obrocki
   ms.author: dawidobrocki
   ms.topic: unit
diff --git a/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/6-insecure-design.yml b/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/6-insecure-design.yml
@@ -4,7 +4,7 @@ title: Insecure design
 metadata:
   title: Insecure design
   description: "OWASP Top 10 for .NET Developers. Insecure design."
-  ms.date: 05/31/2024
+  ms.date: 06/18/2025
   author: obrocki
   ms.author: dawidobrocki
   ms.topic: unit
diff --git a/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/7-security-misconfiguration.yml b/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/7-security-misconfiguration.yml
@@ -4,7 +4,7 @@ title: Security misconfiguration
 metadata:
   title: Security misconfiguration
   description: "OWASP Top 10 for .NET Developers. Security misconfiguration."
-  ms.date: 05/31/2024
+  ms.date: 06/18/2025
   author: obrocki
   ms.author: dawidobrocki
   ms.topic: unit
diff --git a/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/8-vulnerable-outdated-components.yml b/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/8-vulnerable-outdated-components.yml
@@ -4,7 +4,7 @@ title: Vulnerable and outdated components
 metadata:
   title: Vulnerable and outdated components
   description: "OWASP Top 10 for .NET Developers. Vulnerable and outdated components."
-  ms.date: 05/31/2024
+  ms.date: 06/18/2025
   author: obrocki
   ms.author: dawidobrocki
   ms.topic: unit
diff --git a/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/9-identification-authentication-failures​.yml b/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/9-identification-authentication-failures​.yml
@@ -4,7 +4,7 @@ title: Identification and authentication failures
 metadata:
   title: Identification and authentication failures
   description: "OWASP Top 10 for .NET Developers. Identification and authentication failures."
-  ms.date: 05/31/2024
+  ms.date: 06/18/2025
   author: obrocki
   ms.author: dawidobrocki
   ms.topic: unit
diff --git a/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/includes/10-software-data-integrity-failures.md b/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/includes/10-software-data-integrity-failures.md
@@ -2,13 +2,13 @@ With the increasing complexity of developed applications, you should avoid makin
 Chances are your application relies upon plugins, libraries, or modules from untrusted sources or repositories.
 
 > [!TIP]
-> SBOM, which stands for **Software Bill of Materials**, is a software security and software supply chain risk-management record that helps identify a piece of software's individual dependencies and components.
+> **Software Bill of Materials** (SBOM), is a software security and software supply chain risk-management record that helps identify a piece of software's individual dependencies and components.
 
 Software and data integrity failures can be connected to code and infrastructure that doesn't protect against integrity violations. An application that relies upon plugins, libraries, or modules from untrusted sources or repositories can be at risk. An insecure CI/CD pipeline can introduce the potential for unauthorized access, malicious code, or system compromise. Attackers could potentially upload their own updates to be distributed and run on all installations. Objects or data encoded into a modifiable structure are vulnerable to insecure deserialization, as well.
 
-Perhaps you recall the high-profile SolarWinds cyberattack by nation-state from 2020. The attackers managed to hide added malicious code among genuine product codebase.
+Perhaps you recall the high-profile SolarWinds cyberattack by a nation-state from 2020. The attackers managed to hide added malicious code among a genuine product codebase.
 :::image type="content" source="../media/solarwind.png" lightbox="../media/solarwind.png" alt-text="Screenshot of SolarWind Orion platform source code.":::
-Carefully planted backdoor that will host malicious code ([image source](https://www.reversinglabs.com/blog/sunburst-the-next-level-of-stealth)).
+They carefully planted a backdoor for hosting malicious code ([image source](https://www.reversinglabs.com/blog/sunburst-the-next-level-of-stealth)).
 
 Naming the class containing malicious code `OrionImprovementBusinessLayer` was deliberate, not only to blend in with the rest of the code, but also to fool the software developers or anyone auditing the binaries. That class and many of the methods it uses can be found in other Orion software libraries, even thematically fitting with the code found within those libraries.
 
@@ -32,4 +32,4 @@ As you and your team adopt secure CI/CD practices, you want to make sure that:
 
 - Your application only depends on properly vetted and verified dependencies, components, and repositories.
 - You take advantage of CI/CI automation workflows (for example, [GitHub Dependabot Alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#detection-of-insecure-dependencies)) to validate your supply-chain security review dependency graph.
-- Code reviews focus on security aspects of the codebase.
+- Your code reviews focus on the security aspects of the codebase.
diff --git a/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/includes/11-security-logging-monitoring.md b/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/includes/11-security-logging-monitoring.md
@@ -1,12 +1,12 @@
-How do you detect you've been breached? How can you determine what steps the attacker took to penetrate your system?
+How do you detect if you're breached? How can you determine what steps the attacker took to penetrate your system?
 
-Without sufficient logging and monitoring, you can't detect breaches. Logging and monitoring give us an opportunity to stop an attacker in their tracks. Telemetry, logging, and monitoring enables digital forensics and post-mortem after a breach. Logging and monitoring are essential components in ensuring that you can detect any suspicious activity in close to real time, or diagnosed after the fact.
+Without sufficient logging and monitoring, you can't detect breaches. Logging and monitoring give you an opportunity to stop an attacker in their tracks. Telemetry, logging, and monitoring enables digital forensics and post-mortem after a breach. Logging and monitoring are essential components in ensuring that you can detect any suspicious activity in close to real time, or diagnosed after the fact.
 
 More importantly, collecting this data is useless without actively reviewing it or having alerting rules in place.
 
 Make sure to sanitize the data to prevent from over-logging or storing sensitive information as logs.
 
-Establish effective monitoring and alerting mechanisms. Ensure login and access-control failures are logged with sufficient user context to identify suspicious or malicious accounts. Take advantage of different logging levels (Info, Warning, Error, and so on) and log destinations. Avoid server-side error details from ever reaching client side, which can result in leaking your system's implementation details.
+Establish effective monitoring and alerting mechanisms. Ensure that sign in and access-control failures are logged with sufficient user context for identifying suspicious or malicious accounts. Take advantage of different logging levels (Info, Warning, Error, and so on) and log destinations. Avoid server-side error details from ever reaching client side, which can result in leaking your system's implementation details.
 
 > [!IMPORTANT]
 > Don't leave access to your logs unprotected.
@@ -15,19 +15,19 @@ Logging and monitoring allow teams to stop an attack before more damage can be d
 
 Make sure you have answers to the following questions:
 
-* Is any logging configured, and what can be logged?
-* Who has viewed or downloaded a specific file?
-* Have any incorrect authentication attempts occurred?
-* Who has logged in recently?
-* Have authentication events happened at unexpected times or for unexpected locations (Microsoft Entra Conditional Access)?
+- Is any logging configured, and what can be logged?
+- Who viewed or downloaded a specific file?
+- Have any incorrect authentication attempts occurred?
+- Who logged in recently?
+- Have authentication events happened at unexpected times or for unexpected locations (Microsoft Entra Conditional Access)?
 
-.NET comes with a LoggerFactory, which is in Microsoft.Extensions.Logging.
+.NET comes with a LoggerFactory, which is in `Microsoft.Extensions.Logging`.
 
 ### Code review notes
 
 In our scenario, your new DevOps team can prevent security logging and monitoring failures in their .NET applications by:
 
-* Using a centralized logging framework (such as NLog) or service (such as Application Insights). ASP.NET Core provides native logging capabilities through [ILogger](/dotnet/api/microsoft.extensions.logging.ilogger) or [LoggerFactory](/dotnet/api/microsoft.extensions.logging.loggerfactory) that you can easily add to your solutions.
-* Log all relevant security events such as authentication failures, authorization failures, and input validation failures.
-* Monitor logs for anomalies and alerts using automation.
-* Perform dynamic application security testing (for example, with OWASP ZAP Scan, GitHub Actions, or Azure DevOps Pipeline tasks).
+- Using a centralized logging framework (such as NLog) or service (such as Application Insights). ASP.NET Core provides native logging capabilities through [ILogger](/dotnet/api/microsoft.extensions.logging.ilogger) or [LoggerFactory](/dotnet/api/microsoft.extensions.logging.loggerfactory) that you can easily add to your solutions.
+- Log all relevant security events such as authentication failures, authorization failures, and input validation failures.
+- Monitor logs for anomalies and alerts using automation.
+- Perform dynamic application security testing (for example, with OWASP ZAP Scan, GitHub Actions, or Azure DevOps Pipeline tasks).
diff --git a/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/includes/12-server-side-request-forgery.md b/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/includes/12-server-side-request-forgery.md
@@ -1,8 +1,8 @@
-Server-side forgery (SSRF) describes situations when a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination.
+Server-side request forgery (SSRF) describes situations where a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination.
 
-Attackers might also use this functionality to import untrusted data into code that expects to only read data from trusted sources, and as such circumvent input validation.
+Attackers might also use this functionality to import untrusted data into code that expects to only read data from trusted sources, allowing them to circumvent input validation.
 
-A URL or query string seen in web browser's address bar, when used as input parameter, could be a perfect example of user input needing sanitization.
+A URL or query string seen in a web browser's address bar, when used as an input parameter, could be a perfect example of user input needing sanitization.
 
 During code review, you came across a seemingly harmless REST web GET request:
 
@@ -14,7 +14,7 @@ HttpResponseMessage response = await client.GetAsync(url);
 
 Without validating the supplied URL, an attacker can hijack the network connection and control the request schema by supplying **ldap://**, **jar://** or **file://** instead of **https://**. Furthermore, the POST method allows an attacker to force the application to send a crafted request to an unexpected destination.
 
-In certain situations, with carefully formulated URL, an attacker might be able to:
+In certain situations, with carefully a formulated URL, an attacker might be able to:
 
 - Read server configurations such as metadata.
 - Connect to internal services like http-enabled databases.
diff --git a/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/includes/13-summary.md b/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/includes/13-summary.md
diff --git a/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/includes/2-what-is-owasp-top-10.md b/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/includes/2-what-is-owasp-top-10.md
diff --git a/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/index.yml b/learn-pr/aspnetcore/owasp-top-10-for-dotnet-developers/index.yml
