Tweak ReDoS text

Signed-off-by: David A. Wheeler <[email protected]>

Author: david-a-wheeler

secure_software_development_fundamentals.md

@@ -1672,11 +1672,11 @@ There are many solutions to this problem, including the following:
 
 4. Implement a timeout, on the regex (if supported) or on the application as a whole. For example, [Ruby 3.2](https://www.ruby-lang.org/en/news/2022/04/03/ruby-3-2-0-preview1-released/) supports a global regex timeout value (`Regexp.timeout`) and a timeout parameter when instantiating a regular expression object. The [.NET framework MatchTimeout mechanisms](https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.matchtimeout) can also set a global timeout value or one for each regex.
 
-5. Don’t run regexes provided by attackers on systems other their own. It is okay for an adversary to provide a regex that they themselves always run (in that case, attackers just attack themselves). But if attackers can provide regexes that you run, they may be able to cause a ReDOS (unless you have taken other steps to prevent it). Regexes are, in general, programming languages, and you should generally avoid running attacker-provided programs. It is possible to do it relatively securely, but you need to take a lot of precautions and it is always more secure to just not do it.
+5. Don’t run regexes provided by attackers on systems other than their own. It is okay for an adversary to provide a regex that they themselves always run (in that case, attackers just attack themselves). But if attackers can provide regexes that you run, they may be able to cause a ReDOS (unless you have taken other steps to prevent it). Regexes are, in general, programming languages, and you should generally avoid running attacker-provided programs. It is possible to do it relatively securely, but you need to take a lot of precautions and it is always more secure to just not do it.
 
 If you are interested in more details, see the [OWASP discussion](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) about this.
 
-Note: ReDoS is often *not* a real vulnerability. Such regexes can *only* be a vulnerability if they run on a trusted system and process untrusted input. There are many tools that can detect regexes that are vulnerable to ReDoS but don't determine if the input sources untrusted. Such tools can flood developers with so-called "vulnerabilities" that aren't really vulnerabilities. In addition, in some cases countermeasures (like maximum input sizes and timeouts) effectively eliminate ReDoS effectiveness. Even when a regex processes untrusted inputs and these countermeasures fail, ReDoS at *most* will most cause a denial of service, not a loss of confidentiality or integrity. Thus, while ReDoS can be a real vulnerability, it's often less important. If you find yourself dealing with a large number of ReDoS vulnerability reports, check to see if in fact these are a real problem.
+Note: ReDoS is often *not* a real vulnerability. Such regexes can *only* be a vulnerability if they run on a trusted system and process untrusted input. There are many tools that can detect regexes that are vulnerable to ReDoS but don't determine if the input sources are untrusted. Such tools can flood developers with so-called "vulnerabilities" that aren't really vulnerabilities. In addition, in some cases countermeasures (like maximum input sizes and timeouts) effectively eliminate ReDoS effectiveness. Even when a regex processes untrusted inputs and these countermeasures fail, ReDoS at *most* will most cause a denial of service, not a loss of confidentiality or integrity. Thus, while ReDoS can be a real vulnerability, it's often not a vulnerability or is less important. If you find yourself dealing with a large number of ReDoS vulnerability reports, recheck to see if these are real vulnerabilities.
 (See [Enosuchblog's "ReDoS "vulnerabilities" and misaligned incentives"](https://blog.yossarian.net/2022/12/28/ReDoS-vulnerabilities-and-misaligned-incentives).)
 
 #### Quiz 1.5: Countering ReDoS Attacks on Regular Expressions