Resolve #2006 by clarifying 5.2.6

OWASP · Sep 9, 2024 · d89bb22 · d89bb22
1 parent c62454a
commit d89bb22
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/5.0/en/0x13-V5-Validation-Sanitization-Encoding.md b/5.0/en/0x13-V5-Validation-Sanitization-Encoding.md
@@ -126,7 +126,7 @@ reorg: move it to 1st chapter in the paragraph
 | # | Description | L1 | L2 | L3 | CWE |
 | :---: | :--- | :---: | :---: | :---: | :---: |
 | **5.6.1** | [ADDED] Verify that input is decoded or unescaped into a canonical form only once, it is only decoded when encoded data in that form is expected, and that this is done before processing the input further, for example it is not performed after input validation or sanitization. | ✓ | ✓ | ✓ | 174 |
-| **5.6.2** | [MODIFIED, MOVED FROM 1.5.3, LEVEL L2 > L1] Verify that the application is designed to enforce input validation at a trusted service layer. While client-side validation improves usability, security must not rely on it as it can be bypassed. | ✓ | ✓ | ✓ | 602 |
+| **5.6.2** | [MODIFIED, MOVED FROM 1.5.3, LEVEL L2 > L1] Verify that the application is designed to enforce input validation at a trusted service layer. While client-side validation improves usability, it must not be relied upon as a security control. | ✓ | ✓ | ✓ | 602 |
 | **5.6.3** | [MODIFIED, MOVED FROM 1.5.4] Verify that the application performs output encoding and escaping either as a final step before being used by the interpreter for which it is intended or by the interpreter itself. | | ✓ | ✓ | 116 |
 
 ## References

diff --git a/5.0/en/0x90-Appendix-A_Glossary.md b/5.0/en/0x90-Appendix-A_Glossary.md
@@ -47,7 +47,7 @@
 * **Threat Modeling** - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets.
 * **Transport Layer Security** (TLS) – Cryptographic protocols that provide communication security over a network connection.
 * **Trusted Platform Module** (TPM) - A type of HSM that is usually attached to a larger hardware component such as a motherboard and acts as the "root of trust" for that system.
-* **Trusted Service Layer** - Any trusted control enforcement point, such as a microservice, serverless API, server-side, a trusted API on a client device that has secure boot, partner or external APIs, and so on. Trusted means that we are not concerned that an untrusted user will be able to bypass the control.
+* **Trusted Service Layer** - Any trusted control enforcement point, such as a microservice, serverless API, server-side, a trusted API on a client device that has secure boot, partner or external APIs, and so on. Trusted means that we are not concerned that an untrusted user will be able to bypass or skip the layer or controls implemented at that layer.
 * **Two-factor authentication** (2FA) - This adds a second level of authentication to an account log-in.
 * **Universal 2nd Factor** (U2F) - One of the standards created by FIDO specifically for allowing a USB or NFC security key to be used as a 2nd authentication factor.
 * **URI/URL/URL fragments** – A Uniform Resource Identifier is a string of characters used to identify a name or a web resource. A Uniform Resource Locator is often used as a reference to a resource.