Merge pull request ossf#121 from ossf/add_toc

david-a-wheeler · web-flow · commit f8e222c4e2c3 · 2023-03-09T14:06:37.000-05:00
Add toc
diff --git a/README.md b/README.md
@@ -28,6 +28,8 @@ project. Changes that are accepted into the Markdown must go through a series of
 
 Changes to the markdown must have no errors reported by `markdownlint` using our configuration. This is checked when a pull request is made. You can do this check locally by installing markdownlint (e.g., `brew install markdownlint-cli` or `npm install -g markdownlint-cli`) and running `make`.
 
+You can see a generated [table of contents](toc.md) - rerun `make` to regenerate it. This generated file is included in the repository itself for convenience of those new to the document.
+
 This content was originally converted from Google docs format using
 [gdocs2md](http://github.com/mangini/gdocs2md),
 patched to skip inline drawings.
diff --git a/makefile b/makefile
@@ -2,10 +2,10 @@
 
 all: lint toc.md
 
-lint:
+lint: toc.md
 	markdownlint --config .github/linters/.markdown-lint.yml \
-	  secure_software_development_fundamentals.md 
+	  secure_software_development_fundamentals.md toc.md
 
-toc.md: lint secure_software_development_fundamentals.md tocignore
+toc.md: secure_software_development_fundamentals.md tocignore
 	grep -E '^#{1,3} ' secure_software_development_fundamentals.md | \
-	  grep -E -v -f tocignore | sed 's/^# Part /Part /' > toc.md
+	  grep -E -v -f tocignore | while read line; do echo "$$line"; echo; done > toc.md
diff --git a/secure_software_development_fundamentals.md b/secure_software_development_fundamentals.md
@@ -3682,7 +3682,7 @@ Thankfully, other than attacks on cryptographic systems, side-channel attacks ar
 
 * Not included as part of the free version of the course.
 
-# PART III: Verification and More Specialized Topics
+# Part III: Verification and More Specialized Topics
 
 # Verification
 
diff --git a/toc.md b/toc.md
@@ -0,0 +1,288 @@
+# Part I: Requirements, Design, and Reuse
+
+# Course Introduction
+
+## Introduction
+
+## A Note from the Author
+
+## Motivation
+
+### Motivation: Why Is It Important to Secure Software?
+
+### Motivation: Why Take This course?
+
+# Security Basics
+
+## What Do We Need?
+
+### What Does “Security” Mean?
+
+### Security Requirements
+
+### What Is Privacy and Why It Is Important
+
+### Privacy Requirements
+
+## How Can We Get There?
+
+### Risk Management
+
+### Development Processes / Defense-in-Breadth
+
+### Protect, Detect, Respond
+
+### Vulnerabilities
+
+# Design
+
+## Secure Design Basics
+
+### What Are Security Design Principles?
+
+### Widely-Recommended Secure Design Principles
+
+### Least Privilege
+
+### Complete Mediation (Non-Bypassability)
+
+### The Rest of the Saltzer & Schroeder Design Principles
+
+### Other Design Principles
+
+# Reusing External Software
+
+## Supply Chain
+
+### Basics of Reusing Software
+
+### Selecting (Evaluating) Open Source Software
+
+### Downloading and Installing Reusable Software
+
+### Updating Reused Software
+
+# Part II: Implementation
+
+# Basics of Implementation
+
+### Implementation Overview
+
+# Input Validation
+
+## Input Validation Basics
+
+### Input Validation Basics Introduction
+
+### How Do You Validate Input?
+
+## Input Validation: Numbers and Text
+
+### Input Validation: A Few Simple Data Types
+
+### Sidequest: Text, Unicode, and Locales
+
+### Validating Text
+
+### Introduction to Regular Expressions
+
+### Using Regular Expressions for Text Input Validation
+
+### Countering ReDoS Attacks on Regular Expressions
+
+## Input Validation: Beyond Numbers and Text
+
+### Insecure Deserialization
+
+### Input Data Structures (XML, HTML, CSV, JSON, & File Uploads)
+
+### Minimizing Attack Surface, Identification, Authentication, and Authorization
+
+### Search Paths and Environment Variables (including setuid/setgid Programs)
+
+### Special Inputs: Secure Defaults and Secure Startup
+
+## Consider Availability on All Inputs
+
+### Consider Availability on All Inputs Introduction
+
+# Processing Data Securely
+
+## Processing Data Securely: General Issues
+
+### Prefer Trusted Data. Treat Untrusted Data as Dangerous
+
+### Avoid Default & Hardcoded Credentials
+
+### Avoid Incorrect Conversion or Cast
+
+## Processing Data Securely: Undefined Behavior / Memory Safety
+
+### Countering Out-of-Bounds Reads and Writes (Buffer Overflow)
+
+### Double-free, Use-after-free, and Missing Release
+
+### Avoid Undefined Behavior
+
+## Processing Data Securely: Calculate Correctly
+
+### Avoid Integer Overflow, Wraparound, and Underflow
+
+# Calling Other Programs
+
+## Introduction to Securely Calling Programs
+
+### Introduction to Securely Calling Programs - The Basics
+
+## Calling Other Programs: Injection and Filenames
+
+### SQL Injection
+
+### OS Command (Shell) injection
+
+### Other Injection Attacks
+
+### Filenames (Including Path Traversal and Link Following)
+
+## Calling Other Programs: Other Issues
+
+### Call APIs for Programs and Check What Is Returned
+
+### Handling Errors
+
+### Logging
+
+### Debug and Assertion Code
+
+### Countering Denial-of-Service (DoS) Attacks
+
+# Sending Output
+
+### Introduction to Sending Output
+
+### Countering Cross-Site Scripting (XSS)
+
+### Content Security Policy (CSP)
+
+### Other HTTP Hardening Headers
+
+### Cookies & Login Sessions
+
+### CSRF / XSRF
+
+### Open Redirects and Forwards
+
+### HTML **target** and JavaScript **window.open()**
+
+### Using Inadequately Checked URLs / Server-Side Request Forgery (SSRF)
+
+### Same-Origin Policy and Cross-Origin Resource Sharing (CORS)
+
+### Format Strings and Templates
+
+### Minimize Feedback / Information Exposure
+
+### Side-Channel Attacks
+
+# Part III: Verification and More Specialized Topics
+
+# Verification
+
+## Basics of Verification
+
+### Verification Overview
+
+## Static Analysis
+
+### Static Analysis Overview
+
+### Software Composition Analysis (SCA)/Dependency Analysis
+
+## Dynamic Analysis
+
+### Dynamic Analysis Overview
+
+### Fuzz Testing
+
+### Web Application Scanners
+
+## Other Verification Topics
+
+### Combining Verification Approaches
+
+# Threat Modeling
+
+## Threat Modeling/Attack Modeling
+
+### Introduction to Threat Modeling
+
+### STRIDE
+
+# Cryptography
+
+## Applying Cryptography
+
+### Introduction to Cryptography
+
+### Symmetric/Shared Key Encryption Algorithms
+
+### Cryptographic Hashes (Digital Fingerprints)
+
+### Public-Key (Asymmetric) Cryptography
+
+### Cryptographically Secure Pseudo-Random Number Generator (CSPRNG)
+
+### Storing Passwords
+
+### Transport Layer Security (TLS)
+
+### Other Topics in Cryptography
+
+# Other Topics
+
+## Vulnerability Disclosures
+
+### Receiving Vulnerability Reports
+
+### Respond To and Fix the Vulnerability in a Timely Way
+
+### Sending Vulnerability Reports to Others
+
+## Miscellaneous
+
+### Assurance Cases
+
+### Harden the Development Environment (Including Build and CI/CD Pipeline) & Distribution Environment
+
+### Distributing, Fielding/Deploying, Operations, and Disposal
+
+### Artificial Intelligence (AI), Machine Learning (ML), and Security
+
+### Formal Methods
+
+## Top Vulnerability Lists
+
+### OWASP Top 10
+
+### CWE Top 25
+
+## Concluding Notes
+
+### Conclusions
+
+# Part IV: Supporting Materials Not Part of the Course
+
+# Glossary
+
+# Further Reading
+
+# Old Mappings
+
+## OWASP Top 10 and CWE Top 25
+
+### OWASP Top 10 (2017 edition)
+
+### CWE Top 25 (2019 edition)
+
+# References
+
