From 086be93ba495d612c58ce45e2ce53e132a4c252e Mon Sep 17 00:00:00 2001 From: Mike Edoror Date: Mon, 11 Sep 2023 11:06:50 -0500 Subject: [PATCH] Typo fixes --- modules/1-introduction.livemd | 2 +- modules/2-owasp.livemd | 4 ++-- modules/3-ssdlc.livemd | 2 +- modules/4-graphql.livemd | 4 ++-- modules/5-elixir.livemd | 6 +++--- modules/7-anti-patterns.livemd | 2 +- modules/8-cicd.livemd | 2 +- 7 files changed, 11 insertions(+), 11 deletions(-) diff --git a/modules/1-introduction.livemd b/modules/1-introduction.livemd index fc3cf32..ca9ea5d 100644 --- a/modules/1-introduction.livemd +++ b/modules/1-introduction.livemd @@ -18,7 +18,7 @@ This Training material is also ideally used in an educational environment for or If you've never used an Elixir [Livebook](https://livebook.dev/) before, you're in for a treat! They are a very exciting new tool that is actively under development - very similar in application to [Jupyter Notebooks](https://jupyter.org/), but for the Elixir ecosystem! -It would not do the Livebook any justice to try and summize here how to fully take advantage of all its capabilities, for a better introduction there is a great tutorial offered in local installations of Livebook. +It would not do the Livebook any justice to try and summarize here how to fully take advantage of all its capabilities, for a better introduction there is a great tutorial offered in local installations of Livebook. **For the purposes of this Training material, just know that you need to run the "Setup" step for the "Notebook dependencies and setup" section at the very top of EVERY module before running any code samples found within the module you're working on.** diff --git a/modules/2-owasp.livemd b/modules/2-owasp.livemd index c60e52b..9accc72 100644 --- a/modules/2-owasp.livemd +++ b/modules/2-owasp.livemd @@ -265,7 +265,7 @@ IO.puts(vulnerable_dependency) ### Description -Unlike [Broken Access Control](#broken-access-control), this category covers the other half of the "Auth" picture - Authentication; or in otherwords, the validation of "Who" is performing an action within a Data System. +Unlike [Broken Access Control](#broken-access-control), this category covers the other half of the "Auth" picture - Authentication; or in other words, the validation of "Who" is performing an action within a Data System. Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks. There may be authentication weaknesses if the application: @@ -335,7 +335,7 @@ Notable CWES include CWE-778 Insufficient Logging to include CWE-117 Improper Ou * Ensure log data is encoded correctly to prevent injections or attacks on the logging or monitoring systems. * Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar. * Establish or adopt an incident response and recovery plan. -* Do not expose error logs in response to client when not necessary. +* Do not expose error logs in response to the client when not necessary. diff --git a/modules/3-ssdlc.livemd b/modules/3-ssdlc.livemd index 6afce3a..b101c55 100644 --- a/modules/3-ssdlc.livemd +++ b/modules/3-ssdlc.livemd @@ -142,7 +142,7 @@ An example of developing a web application using defense in depth could be: * The codebase is checked automatically for vulnerabilities using Semgrep * The codebase is also checked for outdated dependencies using Dependabot * The application is regularly tested by the internal security team -* Multiple development environments are used such as Develpoment, Staging, and Production +* Multiple development environments are used such as Development, Staging, and Production
diff --git a/modules/4-graphql.livemd b/modules/4-graphql.livemd index 24d9a3f..ab498d4 100644 --- a/modules/4-graphql.livemd +++ b/modules/4-graphql.livemd @@ -152,13 +152,13 @@ IO.puts(answer) ### Description -When building an application, it is necessary to manage the access and use of all relevant internal and external resources involved in the context of the application. This will help ensure the continued availablilty of the application and its functionality for all legitimate users and entities. +When building an application, it is necessary to manage the access and use of all relevant internal and external resources involved in the context of the application. This will help ensure the continued availability of the application and its functionality for all legitimate users and entities. Resource exhaustion occurs when memory, processes handling application requests, network traffic transmissions, server capacity, storage, and other host operating system or device limitations are exceeded while an application is running. When resource allocation is not well managed, applications become vulnerable to negative impacts in performance, unintentional service failures, and denial of service attacks, in which a malicious actor takes advantage of resource limitations to intentionally overwhelm and crash a system. Resource exhaustion can occur inadvertently through legitimate use or could be triggered intentionally in a DoS attack by a malicious actor who sends a large number or resource intensive requests to overload the application. -The structure of GraphQL queries make it particularly succeptible to this type of attack as they can be crafted to perform long running and extensive operations, depending on the data being queried. +The structure of GraphQL queries make it particularly susceptible to this type of attack as they can be crafted to perform long running and extensive operations, depending on the data being queried. In addition to strategies like rate limiting to protect APIs in general, another approach to protecting GraphQL from resource exhaustion involves anticipating the cost of a query and allocating resources based on known available capacity. The next section introduces this approach. diff --git a/modules/5-elixir.livemd b/modules/5-elixir.livemd index b80d5f7..ac43b76 100644 --- a/modules/5-elixir.livemd +++ b/modules/5-elixir.livemd @@ -126,9 +126,9 @@ A timing attack is a side-channel attack in which the attacker attempts to compr Plainly speaking, response time it takes to compute a given function measured at the pico-second level is analyzed for microscopic variations. -This technique is primarily used to analyze string comparisons of secret values to brute-force the identify of the secret. +This technique is primarily used to analyze string comparisons of secret values to brute-force the identity of the secret. -e.g. When comparing two strings, the function exits when variation is detected. Take a secret value `MY_SECRET` and a user input `MY_PASSWORD`, the string compariosn (`MY_PASSWORD == MY_SECRET`) would go character by character until there's a complete match or a discrepancy. So if the new input was `MY_SAUCE`, that new string would take marginally longer to compare against the secret than `MY_PASSWORD` because of one more similar character as `MY_SECRET`. +e.g. When comparing two strings, the function exits when variation is detected. Take a secret value `MY_SECRET` and a user input `MY_PASSWORD`, the string comparison (`MY_PASSWORD == MY_SECRET`) would go character by character until there's a complete match or a discrepancy. So if the new input was `MY_SAUCE`, that new string would take marginally longer to compare against the secret than `MY_PASSWORD` because of one more similar character as `MY_SECRET`. ### Prevention @@ -194,7 +194,7 @@ By using expressions that do not use boolean coercion, the incorrect assumption * Prefer `or` over `||` * Prefer `not` over `!` -The latter will raise a "BadBooleanError" when the function returns :ok or {:error, \_}. In the interest of clarity if may even be better to use a case construct, matching explicitly on true and false. +The latter will raise a "BadBooleanError" when the function returns :ok or {:error, \_}. In the interest of clarity it may even be better to use a case construct, matching explicitly on true and false. ### Resources diff --git a/modules/7-anti-patterns.livemd b/modules/7-anti-patterns.livemd index 7de1d62..3e46ba5 100644 --- a/modules/7-anti-patterns.livemd +++ b/modules/7-anti-patterns.livemd @@ -105,7 +105,7 @@ Pretty secure criteria! You type `this_is_MY_super_secure_password` and hit ente You decide to proxy the request and see that the password is never actually being sent to the server when you press enter - the validation check MUST be happening exclusively client-side. -You appease the JavaScript by adding a 1 to the end then proxy the request in transit, seeing that your input (`this_is_MY_super_secure_password1`) is about to be sent as the one of the payload data objects to the server. Before it leaves your browser though, you change the payload back to your original password that didn't met the criteria and let the request go through. +You appease the JavaScript by adding a 1 to the end then proxy the request in transit, seeing that your input (`this_is_MY_super_secure_password1`) is about to be sent as the one of the payload data objects to the server. Before it leaves your browser though, you change the payload back to your original password that didn't meet the criteria and let the request go through. To your surprise; the server didn't balk at you! You go to log in to the site with your desired password and it worked! diff --git a/modules/8-cicd.livemd b/modules/8-cicd.livemd index ab6c798..925939d 100644 --- a/modules/8-cicd.livemd +++ b/modules/8-cicd.livemd @@ -41,7 +41,7 @@ Refer to Sobelow's [README](https://github.com/nccgroup/sobelow#installation) fo ### Description -[Salus](https://github.com/coinbase/salus) is a Static Application Security Testing (SAST) orchestration tool - developed by the Security team over at Coinbase. Under the hood it is a Ruby program that determines the language of what codebase it is attempting to run on and with selectively run other open source SAST tools for that language. +[Salus](https://github.com/coinbase/salus) is a Static Application Security Testing (SAST) orchestration tool - developed by the Security team over at Coinbase. Under the hood it is a Ruby program that determines the language of what codebase it is attempting to run on and will selectively run other open source SAST tools for that language. There is currently an [PR in progress](https://github.com/coinbase/salus/pull/651) for integrating Sobelow into Salus.