#277: updated security guide to recent OWASP top 10 (#282)

Author: hohwille

documentation/guide-security.asciidoc

@@ -15,60 +15,72 @@ We address these common threats individually in _security_ sections of our techn
 [options="header"]
 |=======================
 |*Threat*|*Protection*|*Link to details*
-|https://www.owasp.org/index.php/Top_10_2013-A1-Injection[A1 Injection]
+|https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A1-Injection.html[A1 Injection]
 |validate input, escape output, use proper frameworks
 |link:guide-jpa.asciidoc#security[SQL Injection]
 
-|https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management[A2 Broken Authentication and Session Management]
+|https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication.html[A2 Broken Authentication]
 |encrypt all channels, use a central identity management with strong password-policy
 |link:guide-access-control.asciidoc#authentication[Authentication]
 
-|https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)[A3 XSS]
-|prevent injection (see A1) for HTML, JavaScript and CSS and understand same-origin-policy
-|link:guide-client-layer.asciidoc#security[client-layer]
-
-|https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References[A4 Insecure Direct Object References]
-|Using direct object references (IDs) only with appropriate authorization
-|link:guide-logic-layer.asciidoc#direct-object-references[logic-layer]
-
-|https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration[A5 Security Misconfiguration]
-|Use devonfw application template and guides to avoid
-|https://github.com/devonfw/devon4j/blob/develop/documentation/tutorial-newapp.asciidoc[tutorial-newapp] and link:guide-configuration.asciidoc#security[sensitive configuration]
-
-|https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure[A6 Sensitive Data Exposure]
+|https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure.html[A3 Sensitive Data Exposure]
 |Use secured exception facade, design your data model accordingly
 |link:guide-service-layer.asciidoc#rest-exception-handling[REST exception handling]
 
-|https://www.owasp.org/index.php/Top_10_2013-A7-Missing_Function_Level_Access_Control[A7 Missing Function Level Access Control]
+|https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A4-XML_External_Entities_(XXE).html[A4 XML External Entities]
+|Prefer JSON over XML, ensure https://docs.oracle.com/en/java/javase/11/security/java-api-xml-processing-jaxp-security-guide.html[FSP] when parsing (external) XML
+|link:guide-xml.asciidoc[XML guide]
+
+|https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control.html[A5 Broken Access Control]
 |Ensure proper authorization for all use-cases, use `@DenyAll` as default to enforce
-|link:guide-access-control.asciidoc#configuration-on-java-method-level[Method authorization]
+|link:guide-access-control.asciidoc[Access-control guide] especially link:guide-access-control.asciidoc#configuration-on-java-method-level[method authorization]
 
-|https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)[A8 CSRF]
-|secure mutable service operations with an explicit CSRF security token sent in HTTP header and verified on the server
-|link:guide-service-layer.asciidoc#csrf[service-layer security]
+|https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration.html[A6 Security Misconfiguration]
+|Use devon4j application template and guides to avoid
+|link:tutorial-newapp.asciidoc[tutorial-newapp] and link:guide-configuration.asciidoc#security[sensitive configuration]
+
+|https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A7-Cross-Site_Scripting_(XSS).html[A7 Cross-Site Scripting]
+|prevent injection (see A1) for HTML, JavaScript and CSS and understand same-origin-policy
+|link:guide-client-layer.asciidoc#security[client-layer]
 
-|https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities[A9 Using Components with Known Vulnerabilities]
+|https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A8-Insecure_Deserialization.html[A8 Insecure Deserialization]
+|Use simple and established serialization formats such as JSON, prevent generic deserialization (for polymorphic types)
+|link:guide-json.asciidoc[JSON guide] especially link:guide-json.asciidoc#json-and-inheritance[inheritence], link:guide-xml.asciidoc[XML guide]
+
+|https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities.html[A9 Using Components with Known Vulnerabilities]
 |subscribe to security newsletters, recheck products and their versions continuously, use devonfw dependency management
 |https://cve.mitre.org/news/newsletter.html[CVE newsletter] and xref:dependency-check[dependency check]
 
-|https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards[A10 Unvalidated Redirects and Forwards]
-|Avoid using redirects and forwards, in case you need them do a security audit on the solution.
-|devonfw proposes to use rich-clients (SPA/RIA). We only use redirects for login in a safe way.
+|https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A10-Insufficient_Logging%252526Monitoring.html[A10 Insufficient_Logging & Monitoring]
+|Ensure to log all security related events (login, logout, errors), establish effective monitoring
+|link:guide-logging.asciidoc[Logging guide] and link:guide-monitoring.asciidoc[monitoring guide]
+
+|https://owasp.org/www-chapter-ghana/assets/slides/IDOR.pdf[Insecure Direct Object References]
+|Using direct object references (IDs) only with appropriate authorization
+|link:guide-logic-layer.asciidoc#direct-object-references[logic-layer]
+
+|https://owasp.org/www-community/attacks/csrf[Cross-Site Request Forgery (CSRF)]
+|secure mutable service operations with an explicit CSRF security token sent in HTTP header and verified on the server
+|link:guide-service-layer.asciidoc#csrf[service-layer security]
 
 |https://www.owasp.org/index.php/Log_Forging[Log-Forging]
 |Escape newlines in log messages
 |link:guide-logging.asciidoc#security[logging security]
+
+|https://owasp.org/www-pdf-archive//OWASP_LA_New_OWASP_Top_10_David_Caissy_2017_07.pdf[Unvalidated Redirects and Forwards]
+|Avoid using redirects and forwards, in case you need them do a security audit on the solution.
+|devonfw proposes to use rich-clients (SPA/RIA). We only use redirects for login in a safe way.
 |=======================
 
 == Tools
 === Dependency Check
-To address https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities[A9 Using Components with Known Vulnerabilities] we integrated https://www.owasp.org/index.php/OWASP_Dependency_Check[OWASP dependency check] into the devonfw maven build. If you build an devonfw application (sample or any app created from our link:tutorial-newapp.asciidoc[app-template]) you can activate dependency check with the `security` profile:
+To address the thread `Using Components with Known Vulnerabilities` we integrated https://www.owasp.org/index.php/OWASP_Dependency_Check[OWASP dependency check] into the devon4j maven build. If you build an devon4j application (sample or any app created from our link:tutorial-newapp.asciidoc[app-template]) you can activate dependency check with the `security` profile:
 [source,bash]
 ---- 
 mvn clean install -P security
 ---- 
-This does not run by default as it causes a huge overhead for the build performance. However , consider to build this in your CI at least nightly.
-After the dependency check is performed , you will find the results in `target/dependency-check-report.html` of each module. The report will also always be generated when the site is build (`mvn site`).
+This does not run by default as it causes a huge overhead for the build performance. However, consider to build this in your CI at least nightly.
+After the dependency check is performed, you will find the results in `target/dependency-check-report.html` of each module. The report will also be generated when the site is build (`mvn site`) even without the profile.
 
 === Penetration Testing
 For penetration testing (testing for vulnerabilities) of your web application, we recommend the following tools:

documentation/guide-xml.asciidoc

@@ -11,10 +11,13 @@ In Java there are many different APIs and frameworks for accessing, producing an
 We use http://en.wikipedia.org/wiki/Java_Architecture_for_XML_Binding[JAXB] to serialize Java objects to XML or vice-versa.
 
 === JAXB and Inheritance
-TODO +@XmlSeeAlso+
-http://stackoverflow.com/questions/7499735/jaxb-how-to-create-xml-from-polymorphic-classes
+Use `@XmlSeeAlso` annotation to provide sub-classes.
+See section "Collective Polymorphism" described https://dzone.com/articles/java-and-xml-part-3-jaxb[here].
 
 === JAXB Custom Mapping
-In order to map custom link:guide-datatype.asciidoc[datatypes] or other types that do not follow the Java bean conventions, you need to define a custom mapping. If you create dedicated objects dedicated for the XML mapping you can easily avoid such situations. When this is not suitable follow these instructions to define the mapping: TODO
+In order to map custom link:guide-datatype.asciidoc[datatypes] or other types that do not follow the Java bean conventions, you need to define a custom mapping. If you create dedicated objects for the XML mapping you can easily avoid such situations. When this is not suitable use `@XmlJavaTypeAdapter` and provide an `XmlAdapter` implementation that handles the mapping.
+For details see https://www.eclipse.org/eclipselink/documentation/2.6/moxy/advanced_concepts006.htm[here].
 
-https://weblogs.java.net/blog/kohsuke/archive/2005/09/using_jaxb_20s.html
+== Security
+
+To prevent XML External Entity attacks, follow https://docs.oracle.com/en/java/javase/11/security/java-api-xml-processing-jaxp-security-guide.html[JAXP Security Guide] and enable https://docs.oracle.com/en/java/javase/11/security/java-api-xml-processing-jaxp-security-guide.html#GUID-88B04BE2-35EF-4F61-B4FA-57A0E9102342[FSP].