Adding SCP 115

.wordlist-en.txt

@@ -1,13 +1,13 @@
-AES
 AEAD
+AES
 APIT
 APIs
 APK
 ARP
 ASVS
 AUTH
 Adoptium
-alirezakkt
+Amauri
 Analyser
 Andra
 Andreas
@@ -17,16 +17,18 @@ AppSec
 AppSensor
 Arithmatex
 Atlassian
+BOLA
 BOM
 BOMs
+BOPLA
 BOV
 BetterEm
+Bizerra
 Bluesky
 Brømsø
 CAPEC
 CCM
 CFB
-ChaCha
 CISO
 CMS
 CMSeeK
@@ -45,6 +47,7 @@ CVSS
 CWE
 Canonicalisation
 Cavalcanti
+ChaCha
 ChartMuseum
 Cheatsheet
 Cheatsheets
@@ -81,6 +84,7 @@ Dracon
 ECB
 ENISA
 ESAPI
+Ebihara
 Ecommerce
 Elie
 EscapeAll
@@ -218,6 +222,7 @@ RSA
 RansomWare
 Recx
 Riccardo
+Roxana
 Ruleset
 SAFEcode
 SAML
@@ -307,6 +312,7 @@ WHATWG
 WPScan
 WSTG
 Wayfinder
+WebDAV
 WebGoat
 WebGoat's
 WebHook
@@ -321,10 +327,13 @@ XML
 XSS
 XXE
 YAML
+Yuuki
 ZH
 aSemy
 ai
 algorithmically
+alirezakkt
+allowlist
 angularjs
 api
 architected
@@ -407,6 +416,7 @@ frontends
 gamification
 gamifies
 gamify
+git
 github
 gitlab
 gmail
@@ -423,6 +433,7 @@ integrations
 intel
 interoperate
 io
+ip
 iteratively
 javascript
 js
@@ -465,6 +476,7 @@ permalink
 personalization
 plaintext
 pre
+printf
 programmatically
 proscriptive
 px
@@ -495,19 +507,24 @@ skf
 socio
 soupsieve
 stacktrace
+strcat
+strcpy
 subcommand
 subcommands
 subdirectories
 subdirectory
+svn
 synchronizer
 templating
 testbed
 testssl
 threatspec
 toolchain
 transactional
+tunable
 txt
 typosquatting
+unencrypted
 unforgeable
 unicode
 unkeyed
@@ -526,19 +543,3 @@ wstg
 wtf
 www
 xsaero
-Roxana
-Amauri
-Bizerra
-Ebihara
-Yuuki
-svn
-git
-BOPLA
-BOLA
-WebDAV
-tunable
-allowlist
-printf
-strcat
-strcpy
-unencrypted

docs/en/04-design/02-web-app-checklist/06-digital-identity.md

@@ -21,7 +21,8 @@ and use the list below as suggestions for a checklist that has been tailored for
 9. Administrative and account management must be at least as secure as the primary authentication mechanism
 10. Use [Multi-Factor Authentication][csmfa] (MFA) for sensitive or high value transactional accounts
 11. Re-authenticate users prior to performing critical operations
-12. Enforce account disabling after an established number of invalid login attempts
+12. Enforce account disabling after an established number of invalid login attempts, or add a random tunable
+  delay for authentication failures to defer brute force attacks and protect against timing attacks
 13. Utilize authentication for connections to external systems that involve sensitive information or functions
 14. Authentication credentials for accessing services external to the application should be stored in a secure store
 15. Use only HTTP POST requests to transmit authentication credentials
@@ -33,7 +34,6 @@ and use the list below as suggestions for a checklist that has been tailored for
 20. Authentication failure responses should not give away the existent of user accounts by allowing the response time to
    differ, depending on whether a username exist or not. Use a DB transaction that looks for a fake user profile in case the
    username doesn't exist
-21. Add a random tunable delay for authentication failures to defer brute force attacks and protect against timing attacks
 
 #### 2. Passwords
 

docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md

@@ -32,6 +32,11 @@ and use the list below as suggestions for a checklist that has been tailored for
 7. Synchronize across nodes to ensure that timestamps are consistent
 8. All logging controls should be implemented on a trusted system
 9. Ensure that a mechanism exists to conduct log analysis
+10. Each log entry must includes necessary metadata (such as when, where, who, what) that would allow for a detailed
+  investigation of the timeline when an event happens
+11. Each log entry must include a time stamp, severity, tagging of security events,
+  identity of the account holder, trace id and span id that can be correlated against the end user's ip, event outcome,
+  event description
 
 #### 3. Monitoring