[x] The last disclaimer shows up as: app’s unintended behaviors - in the PDF version of the book.
[x] Similarly, in 2.2.3 is: "£5,000, or for £50,000, than it is to ask for £50."
[x] In 2.5: "click on the ‘accept risk’ button"
[x] In section 1.1.9 it says: "PMD or FindBugs are good options" - For security, these are terrible options. OWASP Benchmark says they basically score 0 (PMD), or almost 0 (FindBugs). I would recommend you recommend FindBugs w/FindSecBugs, which has for more and better security rules than FindBugs and is under current active development/maintenance. FindBugs is not. Ann-Marie can't find this file to make the change.
[x] 1.2.3: Lyfecycle is misspelled (#98)
[x] 1.2.5: as an quality metric - should be 'a quality' (#150)
[x] In this section, what do you mean by 'patching'? Patching what? Upgrading your web/app servers? Upgrading your libraries? Patching your own code?
[x] End of section 2.1.1 says: "(no P-0 security bugs, possibly no P-1 if publicly facing, etc)" What do you mean by P-0/P-1? Not introduced earlier I don't think. Added as comment to #151
[x] Also, right above that is says: "or new RISK)" - should be RISKs.
[x] In 2.1.14 you provide links to Bag of Holding and Defect Dojo but there are earlier references to these that didn't and I didn't know what they were. #156
[x] Section 2.6 is duplicative of, but a subset of 2.5
[x] I think 2.8.7 should refer to the OWASP Cheat Sheet series, which is one of the best AppSec resources on the internet (in my opinion).
[x] Both 2.8.7 and 2.8.25 talk about OWASP WebGoat Project. Seems like it should be covered in only 1 place. #153
[x] 2.8.30 - Typo: "securit champion" - y missing. #154
Agreed on FindSecBugs and also added new chapter on "AppSec Technologies and tools" in order to capture those tools and mention where they work really well
removed the P-0 and P-1 references since they were out of place in that location (and I want to add a more detailed description of labels, which will cover that)
Adding it here so that I can track it