chore: Apply discussed PR changes

PauloASilva · PauloASilva · commit e16e0e266335 · 2019-09-25T11:03:04.000+01:00
diff --git a/2019/en/src/0xa3-excessive-data-exposure.md b/2019/en/src/0xa3-excessive-data-exposure.md
@@ -42,8 +42,12 @@ the site.
 * Never rely on the client side to perform sensitive data filtering.
 * Review the responses from the API to make sure they contain only legitimate
   data.
-* Explicitly define and enforce data returned by all API methods including errors: give all JSON objects schemas, all string objects patterns, use clear field names.
-* Define all sensitive and personally identifiable information (PII) that your application stores and works with and review all API calls returning such information to see if these responses can be a security issue.
+* Explicitly define and enforce data returned by all API methods, including
+  errors. Whenever possible: use schemas for responses, patterns for all strings
+  and clear field names.
+* Define all sensitive and personally identifiable information (PII) that your
+  application stores and works with and review all API calls returning such
+  information to see if these responses can be a security issue.
 
 ## References
 
diff --git a/2019/en/src/0xa4-lack-of-resources-and-rate-limiting.md b/2019/en/src/0xa4-lack-of-resources-and-rate-limiting.md
@@ -49,14 +49,19 @@ errors.
   [file descriptors, and processes][4].
 * Implement a limit on how often a client can call the API within a defined
   timeframe.
-* For sensitive operations such as login or password reset, consider rate limits by API method (for example, authentication), client (for example, IP address), property (for example, username).
+* For sensitive operations such as login or password reset, consider rate limits
+  by API method (e.g., authentication), client (e.g., IP address), property
+  (e.g., username).
 * Notify the client when the limit is exceeded by providing the limit number and
   the time at which the limit will be reset.
 * Add proper server-side validation for query string and request body
   parameters, specifically the one that controls the number of records to be
   returned in the response.
-* Define and enforce maximum size of data on all incoming parameters and payloads such as maximum length for strings and maximum number of elements in arrays.
-* If your API accepts zip files check compression ratios before expanding the files to protect yourself against "zip bombs".
+* Define and enforce maximum size of data on all incoming parameters and
+  payloads such as maximum length for strings and maximum number of elements in
+  arrays.
+* If your API accepts compressed files check compression ratios before expanding
+  the files to protect yourself against "zip bombs".
 
 ## References
 
diff --git a/2019/en/src/0xa6-mass-assignment.md b/2019/en/src/0xa6-mass-assignment.md
@@ -75,7 +75,8 @@ shell command injection once the attacker downloads the video as MP4.
 * Whitelist only the properties that should be updated by the client.
 * Use built-in features to blacklist properties that should not be accessed by
   clients.
-* In API contracts, explicitly define and enforce schemas for all JSON payloads.
+* If applicable, explicitly define and enforce schemas for the input data
+  payloads.
 
 ## References
 
diff --git a/2019/en/src/0xa7-security-misconfiguration.md b/2019/en/src/0xa7-security-misconfiguration.md
@@ -65,7 +65,9 @@ The API life cycle should include:
   assets (e.g., images).
 * An automated process to continuously assess the effectiveness of the
   configuration and settings in all environments.
-* To prevent exception traces and other valuable information from being sent back to attackers, define and enforce all API response payload schemas including error responses.
+* To prevent exception traces and other valuable information from being sent
+  back to attackers, if applicable, define and enforce all API response payload
+  schemas including error responses.
 
 ## References
 
diff --git a/2019/en/src/0xb0-next-devs.md b/2019/en/src/0xb0-next-devs.md
@@ -15,7 +15,7 @@ comprehensive list of available projects.
 
 | | |
 |-|-|
-| **Education** | You can start reading [OWASP Education Project materials][2] according to your profession and interest. For hands-on learning, we added **crAPI** - **C**ompletely **R**idiculous **API** on [our roadmap][3]. Meanwhile, you can practice WebAppSec using the [OWASP DevSlop Pixi Module][4], a vulnerable WebApp and API service intent to teach users how to test modern web applications and API's for security issues, and how to write more secure API's in the future. You can also attend [OWASP AppSec Conference][5] training sessions, or [join your local chapter][6]. Read about the latest API vulnerabilities and breaches at [APIsecurity.io][15]|
+| **Education** | You can start reading [OWASP Education Project materials][2] according to your profession and interest. For hands-on learning, we added **crAPI** - **C**ompletely **R**idiculous **API** on [our roadmap][3]. Meanwhile, you can practice WebAppSec using the [OWASP DevSlop Pixi Module][4], a vulnerable WebApp and API service intent to teach users how to test modern web applications and API's for security issues, and how to write more secure API's in the future. You can also attend [OWASP AppSec Conference][5] training sessions, or [join your local chapter][6]. |
 | **Security Requirements** | Security should be part of every project from the beginning. When doing requirements elicitation, it is important to define what "secure" means for that project. OWASP recommends you use the [OWASP Application Security Verification Standard (ASVS)][7] as a guide for setting the security requirements. If you're outsourcing, consider the [OWASP Secure Software Contract Annex][8], which should be adapted according to local law and regulations. |
 | **Security Architecture** | Security should remain a concern during all the project stages. The [OWASP Prevention Cheat Sheets][9] are a good starting point for guidance on how to design security in during the architecture phase. Among many others, you'll find the [REST Security Cheat Sheet][10] and the [REST Assessment Cheat Sheet][11]. |
 | **Standard Security Controls** | Adopting Standard Security Controls reduces the risk of introducing security weaknesses while writing your own logic. Despite the fact that many modern frameworks now come with built-in standard effective controls, [OWASP Proactive Controls][12] gives you a good overview of what security controls you should look to include in your project. OWASP also provides some libraries and tools you may find valuable, such as validation controls. |
@@ -35,4 +35,3 @@ comprehensive list of available projects.
 [12]: https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Proactive_Controls_2018
 [13]: https://www.owasp.org/index.php/OWASP_SAMM_Project
 [14]: https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
-[15]: https://APIsecurity.io
