add OpenCRE to DevGuide

.wordlist.txt

@@ -505,6 +505,8 @@ incrementing
 WHATWG
 OpenCRE
 opencre
+LLM
+SDLCs
 br
 Andreas
 Happe

_data/draft.yaml

@@ -32,7 +32,7 @@ docs:
   url: requirements/risk_profile
 
 - title: '3.3 OpenCRE and Integration Standards'
-  url: requirements/integration_standard_opencre
+  url: requirements/opencre_integration_standard
 
 - title: '3.4 SecurityRAT'
   url: requirements/security_rat

_data/release.yaml

@@ -32,7 +32,7 @@ docs:
   url: requirements/risk_profile
 
 - title: '3.3 OpenCRE and Integration Standards'
-  url: requirements/integration_standard_opencre
+  url: requirements/opencre_integration_standard
 
 - title: '3.4 SecurityRAT'
   url: requirements/security_rat

draft/03-introduction.md

@@ -52,13 +52,20 @@ Instead the content of the Developer Guide aims to be accessible, introducing  p
 and providing enough detail to get developers started on various OWASP tools and documents.
 
 All of the OWASP projects and tools described in this guide are free to download and use.
-All OWASP projects are open source; do get involved if you are interested in improving application security.
+All OWASP projects are open source; please do get involved if you are interested in improving application security.
 
 #### Audience
 
-The OWASP Developer Guide has been written by the security community to help software developers write solid,
+Developers should use this OWASP Developer Guide to help write applications that are more secure.
+The guide has been written by the security community to help software developers write solid,
 safe and secure applications.
-Developers should try and be familiar with most of this guide; it will help to write applications that are more secure.
+Most of the contributors to this guide are also software developers as well as security engineers,
+and this helps to keep the focus developer centric.
+
+If you are in a hurry and want information on a specific subject then
+try the [OpenCRE chat][opencrechat] LLM for immediate answers.
+
+#### What is the Developer Guide?
 
 You can think of this guide as a cross-reference source to the many tools and documents that OWASP provide for developers.
 
@@ -69,10 +76,10 @@ Or you can regard the purpose of this guide as answering the question:
 Or think of it as a collection of articles that introduce developers to the wide domain of application security.
 
 Or you can regard this guide as a companion document to the OWASP [Integration Standards][intstand] project:
-the Application Security Wayfinder mapping out the many OWASP tools,
-projects and documents with the Developer Guide providing some context.
+the Application Security Wayfinder maps out the many tools,
+projects and documents within OWASP and the Developer Guide provides some 'wordy' context.
 
-[![ApplSec Wayfinder](../../assets/images/owasp-wayfinder.png "OWASP Application Security Wayfinder")][intstand]
+[![AppSec Wayfinder](../../assets/images/owasp-wayfinder.png "OWASP Application Security Wayfinder")][intstand]
 
 ----
 
@@ -81,9 +88,10 @@ then [submit an issue][issue03] or [edit on GitHub][edit03].
 
 [about]: https://owasp.org/about/
 [edit03]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/03-introduction.md
+[intstand]: https://owasp.org/www-project-integration-standards/
 [issue03]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2003-introduction
+[opencrechat]: https://www.opencre.org/chatbot
 [samm]: https://owaspsamm.org/about/
 [versions]: https://github.com/OWASP/DevGuide/wiki#old-versions
-[intstand]: https://owasp.org/www-project-integration-standards/
 
 \newpage

draft/05-requirements/03-opencre.md

@@ -0,0 +1,130 @@
+---
+
+title: OpenCRE and Integration Standards
+layout: col-document
+tags: OWASP Developer Guide
+contributors: Jon Gadsden
+document: OWASP Developer Guide
+order: 503
+permalink: /draft/requirements/opencre_integration_standard/
+
+---
+
+{% include breadcrumb.html %}
+
+[OpenCRE logo](../../../assets/images/logos/opencre.png "OWASP OpenCRE"){: height="180px" }
+
+### 3.3 OpenCRE
+
+The [Open Common Requirement Enumeration][opencre] (OpenCRE) is a catalog of security requirements:
+enumerating security topics and providing links to various standards, cheat sheets and guides.
+
+The OWASP [Integration Standards][intstand] project includes both the OpenCRE and Security
+and the Application Security Wayfinder, it is an OWASP documentation project with production status.
+
+#### What is the Integration Standards project?
+
+The [Integration Standards][intstand] project is at the centre of the OWASP project community;
+it provides guidance on how to navigate and use the many projects within OWASP.
+It does this in two ways, first is the [Application Security Wayfinder][intstand] which provides a visual map
+of the most important OWASP projects - as of August 2024 there are 345 [OWASP projects][projects]
+so this is a really useful visualization.
+The second is the Open Common Requirement Enumeration ([OpenCRE][opencre]) which provides a consolidated reference of
+standards, cheat sheets, tools and other enumerations (such as [CWE][cwe]).
+
+The Integration Standards project has also produced OWASP [Application Security Fragmentation][sdlc]
+write-up on OWASP and the secure Software Development LifeCycle (SDLC).
+This provides an overview of tools and techniques used for most SDLCs.
+
+#### What is OpenCRE?
+
+[OpenCRE][opencre] is a catalog, or enumeration, of various standards and reference material, including:
+
+* [CAPEC][capecocre]
+* [CWE][cweocre]
+* [NIST Special Publications][nist] [800-53][nist53] and [800-63][nist63]
+* OWASP [ASVS][asvs]
+* OWASP [Top10][top10ocre]
+* OWASP [Proactive Controls][proactiveocre]
+* OWASP [Cheat Sheets][csocre]
+* OWASP [WSTG][wstgocre]
+* [ZAP][zapocre] from [Crash Override][crash]
+
+The aim of this project is to 'Link all the things with OpenCRE' which will:
+
+* make it easier for engineers, security officers, testers and procurement to find relevant information
+* make it easier for standards makers to create and maintain references
+
+#### Why use OpenCRE?
+
+OpenCRE: 'Everything organized'
+
+[OpenCRE][opencre] is a powerful tool that can provide developers with links to many resources, and is easy to use.
+It provides a one-stop consolidated set of references on various security terms and domains,
+and crucially these are automatically kept up to date.
+The provides a handy security catalog that can be searched for various standards or security terms.
+
+As well as being useful for day to day security questions,
+the OpenCRE can also be used as the reference section in documentation;
+linking across to the OpenCRE rather than providing a list of references means the links are kept up to date automatically.
+
+#### How to use OpenCRE
+
+The [OpenCRE][opencre] catalog can be accessed in traditional ways such as using searches or linking across to it.
+For example OpenCRE references to the Common Weakness Enumeration can be accessed using the [search facility][cweocre]
+or by linking across directly to a [specific Open Common Requirement][cwe1002].
+
+OpenCRE is also useful when providing references in documentation.
+OpenCRE can be used for these references instead of listing various references to a security concept or requirement.
+This will provide links to standards, cheat sheets, tools and other enumerations -
+along with other sources that have been added over time - and all kept up to date.
+So no more broken links or referring to out of date versions :)
+
+This is now the age of large language models, and OpenCRE has embraced this technology.
+Immediate answers to security questions or searches can be provided by [OpenCRE Chat][opencrechat].
+
+For example, in answer to the question "_what use is the OWASP Developer Guide?_"
+OpenCRE Chat provides the agreeable answer:
+
+_"The OWASP Developer Guide provides a comprehensive overview of application security risks and how to mitigate them._
+_It covers topics such as input validation, output encoding, secure coding practices, and secure design principles._
+_The guide is a valuable resource for developers who want to create secure applications."_
+
+#### References
+
+* OWASP [OpenCRE][opencre]
+* [Spotlight on OpenCRE][spotlight28]
+* OWASP [Application Security Fragmentation][sdlc]
+* OWASP [Integration Standards][intstand] project
+* [Understanding the Complete Chain of Application Security Using OpenCRE org][opencretalk]
+
+----
+
+The OWASP Developer Guide is a community effort; if there is something that needs changing
+then [submit an issue][issue0503] or [edit on GitHub][edit0503].
+
+[asvs]: https://owasp.org/www-project-application-security-verification-standard/
+[capecocre]: https://opencre.org/search/CAPEC
+[crash]: https://crashoverride.com/
+[csocre]: https://opencre.org/search/OWASP%20Cheat%20Sheets
+[cweocre]: https://opencre.org/search/CWE
+[cwe]: https://cwe.mitre.org/
+[cwe1002]: https://www.opencre.org/node/standard/CWE/sectionid/1002
+[edit0503]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/05-requirements/03-opencre.md
+[intstand]: https://owasp.org/www-project-integration-standards/
+[issue0503]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=content&template=request.md&title=Update:%2005-requirements/03-opencre
+[nist]: https://csrc.nist.gov/
+[nist53]: https://www.nist.gov/privacy-framework/nist-privacy-framework-and-cybersecurity-framework-nist-special-publication-800-53
+[nist63]: https://pages.nist.gov/800-63-3/
+[opencre]: https://www.opencre.org/
+[opencrechat]: https://www.opencre.org/chatbot
+[opencretalk]: https://www.youtube.com/watch?v=VPOkT9quve0
+[proactiveocre]: https://www.opencre.org/search/Proactive%20Controls
+[projects]: https://owasp.org/projects/
+[sdlc]: https://owasp.org/www-project-integration-standards/writeups/owasp_in_sdlc/
+[spotlight28]: https://www.youtube.com/watch?v=TwNroVARmB0&list=PLUKo5k_oSrfOTl27gUmk2o-NBKvkTGw0T
+[top10ocre]: https://www.opencre.org/search/OWASP%20Top%2010
+[wstgocre]: https://opencre.org/search/WSTG
+[zapocre]: https://opencre.org/search/ZAP
+
+\newpage

draft/05-requirements/toc.md

@@ -44,7 +44,7 @@ Sections:
 
 3.1 [Requirements in practice](01-requirements.md)  
 3.2 [Risk profile](02-risk.md)  
-3.3 [OpenCRE](03-int-stand.md)  
+3.3 [OpenCRE](03-opencre.md)  
 3.4 [SecurityRAT](04-security-rat.md)  
 3.5 [Application Security Verification Standard](05-asvs.md)  
 3.6 [Mobile Application Security](06-mas.md)  

draft/13-security-gap-analysis/01-guides/01-samm.md

@@ -73,7 +73,7 @@ The OWASP Spotlight series provides an overview of using the SAMM:
 'Project 9 - [Software Assurance Maturity Model (SAMM)][spotlight09]'.
 
 Security gap analysis can benefit from an assessment which measures the quality of the software assurance maturity process.
-The [SAMM Assessment][samma] tools include spreadsheets and online tools such as [SAMMwise][samwise] and [SAMMY][sammy].
+The [SAMM Assessment][samma] tools include spreadsheets and online tools such as [SAMMwise][sammwise] and [SAMMY][sammy].
 
 The SAMM model describes these fundamentals of software security, which it calls Business Functions.
 Each of these five fundamentals are further split into three Business Practices:
@@ -124,7 +124,7 @@ then [submit an issue][issue130101] or [edit on GitHub][edit130101].
 [sammvrt]: https://owaspsamm.org/model/verification/requirements-driven-testing/
 [sammvst]: https://owaspsamm.org/model/verification/security-testing/
 [samm-project]: https://owasp.org/www-project-samm/
-[samwise]: https://github.com/owaspsamm/sammwise
+[sammwise]: https://github.com/owaspsamm/sammwise
 [sammy]: https://sammy.codific.com/
 [spotlight09]: https://youtu.be/N0zcZnkH5Wg
 

draft/toc.md

@@ -32,7 +32,7 @@ This draft version has the latest contributions to the Developer Guide so expect
 3 **[Requirements](05-requirements/toc.md)**  
 3.1 [Requirements in practice](05-requirements/01-requirements.md)  
 3.2 [Risk profile](05-requirements/02-risk.md)  
-3.3 [OpenCRE](05-requirements/03-int-stand.md)  
+3.3 [OpenCRE](05-requirements/03-opencre.md)  
 3.4 [SecurityRAT](05-requirements/04-security-rat.md)  
 3.5 [Application Security Verification Standard](05-requirements/05-asvs.md)  
 3.6 [Mobile Application Security](05-requirements/06-mas.md)  

release/05-requirements/03-int-stand.md → release/05-requirements/03-opencre.md

@@ -6,7 +6,7 @@ tags: OWASP Developer Guide
 contributors: Jon Gadsden
 document: OWASP Developer Guide
 order: 5030
-permalink: /release/requirements/integration_standard_opencre/
+permalink: /release/requirements/opencre_integration_standard/
 
 ---
 
@@ -29,7 +29,7 @@ permalink: /release/requirements/integration_standard_opencre/
 The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0503] or [edit on GitHub][edit0503].
 
-[edit0503]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/05-requirements/03-int-stand.md
-[issue0503]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=content&template=request.md&title=Update:%2005-requirements/03-int-stand
+[edit0503]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/05-requirements/03-opencre.md
+[issue0503]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=content&template=request.md&title=Update:%2005-requirements/03-opencre
 
 \newpage