Dave's feedback

[DinisCruz]

Adding it here so that I can track it

---

• [x] The last disclaimer shows up as: app’s unintended behaviors - in the PDF version of the book.
• [x] Similarly, in 2.2.3 is: "£5,000, or for £50,000, than it is to ask for £50."
• [x] In 2.5: "click on the ‘accept risk’ button"
• [x] In section 1.1.9 it says: "PMD or FindBugs are good options" - For security, these are terrible options. OWASP Benchmark says they basically score 0 (PMD), or almost 0 (FindBugs). I would recommend you recommend FindBugs w/FindSecBugs, which has for more and better security rules than FindBugs and is under current active development/maintenance. FindBugs is not. Ann-Marie can't find this file to make the change.
• [x] 1.2.3: Lyfecycle is misspelled (#98)
• [x] 1.2.5: as an quality metric - should be 'a quality' (#150)
• [x] In this section, what do you mean by 'patching'? Patching what? Upgrading your web/app servers? Upgrading your libraries? Patching your own code?
• [x] End of section 2.1.1 says: "(no P-0 security bugs, possibly no P-1 if publicly facing, etc)" What do you mean by P-0/P-1? Not introduced earlier I don't think. Added as comment to #151
• [x] Also, right above that is says: "or new RISK)" - should be RISKs.
• [x] In 2.1.14 you provide links to Bag of Holding and Defect Dojo but there are earlier references to these that didn't and I didn't know what they were. #156
• [x] Section 2.6 is duplicative of, but a subset of 2.5
• [x] I think 2.8.7 should refer to the OWASP Cheat Sheet series, which is one of the best AppSec resources on the internet (in my opinion).
• [x] Both 2.8.7 and 2.8.25 talk about OWASP WebGoat Project. Seems like it should be covered in only 1 place. #153
• [x] 2.8.30 - Typo: "securit champion" - y missing. #154

[DinisCruz]

• encoding issues fixed by changing the book encoding format
• Added CheatCheats, Testing Guide and many other references to owasp projects https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/commit/3630536c7be0f2fa67275e8163719f751c439ac5
• on 'Patch speed as an quality metric' added definition of Patching at the top (which is making small changes: https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/commit/374e860237f4c01d0f8d211419654711ac2774b1 )
• Agreed on FindSecBugs and also added new chapter on "AppSec Technologies and tools" in order to capture those tools and mention where they work really well
• removed the P-0 and P-1 references since they were out of place in that location (and I want to add a more detailed description of labels, which will cover that)
• re bag of holding, I agree, but the fix needs some refactoring , so I created a separate issue to track it https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/issues/156
• 2.6 duplication was actually a bug in the book generation script that is being used to create the book (content removed)