Add table of contents (TOC)

Some people want to quickly see a basic outline of the material,
let's make that easy.

Signed-off-by: David A. Wheeler <[email protected]>

Author: david-a-wheeler

README.md

@@ -28,6 +28,8 @@ project. Changes that are accepted into the Markdown must go through a series of
 
 Changes to the markdown must have no errors reported by `markdownlint` using our configuration. This is checked when a pull request is made. You can do this check locally by installing markdownlint (e.g., `brew install markdownlint-cli` or `npm install -g markdownlint-cli`) and running `make`.
 
+You can see a generated [table of contents](toc.md) - rerun `make` to regenerate it. This generated file is included in the repository itself for convenience of those new to the document.
+
 This content was originally converted from Google docs format using
 [gdocs2md](http://github.com/mangini/gdocs2md),
 patched to skip inline drawings.

toc.md

@@ -0,0 +1,144 @@
+Part I: Requirements, Design, and Reuse
+# Course Introduction
+## Introduction
+## A Note from the Author
+## Motivation
+### Motivation: Why Is It Important to Secure Software?
+### Motivation: Why Take This course?
+# Security Basics
+## What Do We Need?
+### What Does “Security” Mean?
+### Security Requirements
+### What Is Privacy and Why It Is Important
+### Privacy Requirements
+## How Can We Get There?
+### Risk Management
+### Development Processes / Defense-in-Breadth
+### Protect, Detect, Respond
+### Vulnerabilities
+# Design
+## Secure Design Basics
+### What Are Security Design Principles?
+### Widely-Recommended Secure Design Principles
+### Least Privilege
+### Complete Mediation (Non-Bypassability)
+### The Rest of the Saltzer & Schroeder Design Principles
+### Other Design Principles
+# Reusing External Software
+## Supply Chain
+### Basics of Reusing Software
+### Selecting (Evaluating) Open Source Software
+### Downloading and Installing Reusable Software
+### Updating Reused Software
+Part II: Implementation
+# Basics of Implementation
+### Implementation Overview
+# Input Validation
+## Input Validation Basics
+### Input Validation Basics Introduction
+### How Do You Validate Input?
+## Input Validation: Numbers and Text
+### Input Validation: A Few Simple Data Types
+### Sidequest: Text, Unicode, and Locales
+### Validating Text
+### Introduction to Regular Expressions
+### Using Regular Expressions for Text Input Validation
+### Countering ReDoS Attacks on Regular Expressions
+## Input Validation: Beyond Numbers and Text
+### Insecure Deserialization
+### Input Data Structures (XML, HTML, CSV, JSON, & File Uploads)
+### Minimizing Attack Surface, Identification, Authentication, and Authorization
+### Search Paths and Environment Variables (including setuid/setgid Programs)
+### Special Inputs: Secure Defaults and Secure Startup
+## Consider Availability on All Inputs
+### Consider Availability on All Inputs Introduction
+# Processing Data Securely
+## Processing Data Securely: General Issues
+### Prefer Trusted Data. Treat Untrusted Data as Dangerous
+### Avoid Default & Hardcoded Credentials
+### Avoid Incorrect Conversion or Cast
+## Processing Data Securely: Undefined Behavior / Memory Safety
+### Countering Out-of-Bounds Reads and Writes (Buffer Overflow)
+### Double-free, Use-after-free, and Missing Release
+### Avoid Undefined Behavior
+## Processing Data Securely: Calculate Correctly
+### Avoid Integer Overflow, Wraparound, and Underflow
+# Calling Other Programs
+## Introduction to Securely Calling Programs
+### Introduction to Securely Calling Programs - The Basics
+## Calling Other Programs: Injection and Filenames
+### SQL Injection
+### OS Command (Shell) injection
+### Other Injection Attacks
+### Filenames (Including Path Traversal and Link Following)
+## Calling Other Programs: Other Issues
+### Call APIs for Programs and Check What Is Returned
+### Handling Errors
+### Logging
+### Debug and Assertion Code
+### Countering Denial-of-Service (DoS) Attacks
+# Sending Output
+### Introduction to Sending Output
+### Countering Cross-Site Scripting (XSS)
+### Content Security Policy (CSP)
+### Other HTTP Hardening Headers
+### Cookies & Login Sessions
+### CSRF / XSRF
+### Open Redirects and Forwards
+### HTML **target** and JavaScript **window.open()**
+### Using Inadequately Checked URLs / Server-Side Request Forgery (SSRF)
+### Same-Origin Policy and Cross-Origin Resource Sharing (CORS)
+### Format Strings and Templates
+### Minimize Feedback / Information Exposure
+### Side-Channel Attacks
+Part III: Verification and More Specialized Topics
+# Verification
+## Basics of Verification
+### Verification Overview
+## Static Analysis
+### Static Analysis Overview
+### Software Composition Analysis (SCA)/Dependency Analysis
+## Dynamic Analysis
+### Dynamic Analysis Overview
+### Fuzz Testing
+### Web Application Scanners
+## Other Verification Topics
+### Combining Verification Approaches
+# Threat Modeling
+## Threat Modeling/Attack Modeling
+### Introduction to Threat Modeling
+### STRIDE
+# Cryptography
+## Applying Cryptography
+### Introduction to Cryptography
+### Symmetric/Shared Key Encryption Algorithms
+### Cryptographic Hashes (Digital Fingerprints)
+### Public-Key (Asymmetric) Cryptography
+### Cryptographically Secure Pseudo-Random Number Generator (CSPRNG)
+### Storing Passwords
+### Transport Layer Security (TLS)
+### Other Topics in Cryptography
+# Other Topics
+## Vulnerability Disclosures
+### Receiving Vulnerability Reports
+### Respond To and Fix the Vulnerability in a Timely Way
+### Sending Vulnerability Reports to Others
+## Miscellaneous
+### Assurance Cases
+### Harden the Development Environment (Including Build and CI/CD Pipeline) & Distribution Environment
+### Distributing, Fielding/Deploying, Operations, and Disposal
+### Artificial Intelligence (AI), Machine Learning (ML), and Security
+### Formal Methods
+## Top Vulnerability Lists
+### OWASP Top 10
+### CWE Top 25
+## Concluding Notes
+### Conclusions
+Part IV: Supporting Materials Not Part of the Course
+# Glossary
+# Further Reading
+# Old Mappings
+## OWASP Top 10 and CWE Top 25
+### OWASP Top 10 (2017 edition)
+### CWE Top 25 (2019 edition)
+# References