From d604d8dcbd4e5277c43e1d62f689a776979d8406 Mon Sep 17 00:00:00 2001 From: Josh Grossman Date: Mon, 12 Aug 2024 18:09:23 +0300 Subject: [PATCH] Add trusted service layer to glossary and clarify 5.6.2 to resolve #2006 --- 5.0/en/0x13-V5-Validation-Sanitization-Encoding.md | 2 +- 5.0/en/0x90-Appendix-A_Glossary.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/5.0/en/0x13-V5-Validation-Sanitization-Encoding.md b/5.0/en/0x13-V5-Validation-Sanitization-Encoding.md index 71dbb583e..bb3d1f2dd 100644 --- a/5.0/en/0x13-V5-Validation-Sanitization-Encoding.md +++ b/5.0/en/0x13-V5-Validation-Sanitization-Encoding.md @@ -126,7 +126,7 @@ reorg: move it to 1st chapter in the paragraph | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---: | :---: | :---: | | **5.6.1** | [ADDED] Verify that input is decoded or unescaped into a canonical form only once and that this is done before processing the input further, for example it is not performed after input validation or sanitization. | ✓ | ✓ | ✓ | 174 | -| **5.6.2** | [MODIFIED, MOVED FROM 1.5.3, LEVEL L2 > L1] Verify that the application is designed to enforce input validation at a trusted service layer. While client-side validation improves usability, security must not rely on it. | ✓ | ✓ | ✓ | 602 | +| **5.6.2** | [MODIFIED, MOVED FROM 1.5.3, LEVEL L2 > L1] Verify that the application is designed to enforce input validation at a trusted service layer. While client-side validation improves usability, security must not rely on it as it can be bypassed. | ✓ | ✓ | ✓ | 602 | | **5.6.3** | [MODIFIED, MOVED FROM 1.5.4] Verify that the application performs output encoding and escaping either as a final step before being used by the interpreter for which it is intended or by the interpreter itself. | | ✓ | ✓ | 116 | ## References diff --git a/5.0/en/0x90-Appendix-A_Glossary.md b/5.0/en/0x90-Appendix-A_Glossary.md index 0e66e7167..5ce7cd5d9 100644 --- a/5.0/en/0x90-Appendix-A_Glossary.md +++ b/5.0/en/0x90-Appendix-A_Glossary.md @@ -47,6 +47,7 @@ * **Threat Modeling** - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. * **Transport Layer Security** (TLS) – Cryptographic protocols that provide communication security over a network connection. * **Trusted Platform Module** (TPM) - A type of HSM that is usually attached to a larger hardware component such as a motherboard and acts as the "root of trust" for that system. +* **Trusted Service Layer** - Any trusted control enforcement point, such as a microservice, serverless API, server-side, a trusted API on a client device that has secure boot, partner or external APIs, and so on. Trusted means that we are not concerned that an untrusted user will be able to bypass the control. * **Two-factor authentication** (2FA) - This adds a second level of authentication to an account log-in. * **Universal 2nd Factor** (U2F) - One of the standards created by FIDO specifically for allowing a USB or NFC security key to be used as a 2nd authentication factor. * **URI/URL/URL fragments** – A Uniform Resource Identifier is a string of characters used to identify a name or a web resource. A Uniform Resource Locator is often used as a reference to a resource.