Update patch set 1

Patch Set 1: Workflow-1

(7 comments)

Added some comments about things that I feel need some work. 

Additionally it is worth mentioning that we have not covered a number of topics that have resulted in OSSA's. Specifically 

XML usage
Constant time compare using hmac

Could also add null byte poisoning in bcrypt as another example (although pretty contrived).

Patch-set: 1
Label: Workflow=-1

1430520eaebf7a587b582cb98b66812dd4c0b796

@@ -1,5 +1,22 @@
 {
   "comments": [
+    {
+      "key": {
+        "uuid": "1aca2d91_4a2bec94",
+        "filename": "doc/source/guidelines/dg_avoid-dangerous-input-parsing-libraries.rst",
+        "patchSetId": 1
+      },
+      "lineNbr": 40,
+      "author": {
+        "id": 7473
+      },
+      "writtenOn": "2015-05-07T20:45:54Z",
+      "side": 1,
+      "message": "Potentially add a pickle example ?",
+      "revId": "1430520eaebf7a587b582cb98b66812dd4c0b796",
+      "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543",
+      "unresolved": false
+    },
     {
       "key": {
         "uuid": "1aca2d91_992164b7",
@@ -51,6 +68,23 @@
       "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543",
       "unresolved": false
     },
+    {
+      "key": {
+        "uuid": "1aca2d91_cab37ce8",
+        "filename": "doc/source/guidelines/dg_cross-site-request-forgery-csrf.rst",
+        "patchSetId": 1
+      },
+      "lineNbr": 19,
+      "author": {
+        "id": 7473
+      },
+      "writtenOn": "2015-05-07T20:45:54Z",
+      "side": 1,
+      "message": "This is a very great example IMO. \n\nWhat about adding instructions on how to setup CSRF tokens in django and other frameworks.",
+      "revId": "1430520eaebf7a587b582cb98b66812dd4c0b796",
+      "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543",
+      "unresolved": false
+    },
     {
       "key": {
         "uuid": "1aca2d91_2c757097",
@@ -85,6 +119,57 @@
       "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543",
       "unresolved": false
     },
+    {
+      "key": {
+        "uuid": "1aca2d91_0ae174d0",
+        "filename": "doc/source/guidelines/dg_cross-site-scripting-xss.rst",
+        "patchSetId": 1
+      },
+      "lineNbr": 40,
+      "author": {
+        "id": 7473
+      },
+      "writtenOn": "2015-05-07T20:45:54Z",
+      "side": 1,
+      "message": "We should be using Python in all code examples",
+      "revId": "1430520eaebf7a587b582cb98b66812dd4c0b796",
+      "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543",
+      "unresolved": false
+    },
+    {
+      "key": {
+        "uuid": "1aca2d91_6a4a28c7",
+        "filename": "doc/source/guidelines/dg_parameterize-database-queries.rst",
+        "patchSetId": 1
+      },
+      "lineNbr": 47,
+      "author": {
+        "id": 7473
+      },
+      "writtenOn": "2015-05-07T20:45:54Z",
+      "side": 1,
+      "message": "I don\u0027t think that this query will actually result in SQL injection. the example you have will result in: \n\nselect username from users where username \u003d \u0027jsmith or 1\u003d1\u0027\n\nshould be: \n\nmyvar \u003d \"jsmith\u0027 or \u00271\u003d1\"",
+      "revId": "1430520eaebf7a587b582cb98b66812dd4c0b796",
+      "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543",
+      "unresolved": false
+    },
+    {
+      "key": {
+        "uuid": "1aca2d91_0a1614a7",
+        "filename": "doc/source/guidelines/dg_parameterize-database-queries.rst",
+        "patchSetId": 1
+      },
+      "lineNbr": 72,
+      "author": {
+        "id": 7473
+      },
+      "writtenOn": "2015-05-07T20:45:54Z",
+      "side": 1,
+      "message": "There are examples for just about ever database apart from sqlite. Since sqlite is a part of the standard Python library we should have an example for it.",
+      "revId": "1430520eaebf7a587b582cb98b66812dd4c0b796",
+      "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543",
+      "unresolved": false
+    },
     {
       "key": {
         "uuid": "1aca2d91_ef440a75",
@@ -153,6 +238,23 @@
       "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543",
       "unresolved": false
     },
+    {
+      "key": {
+        "uuid": "1aca2d91_eae8787e",
+        "filename": "doc/source/guidelines/dg_strong-crypto.rst",
+        "patchSetId": 1
+      },
+      "lineNbr": 38,
+      "author": {
+        "id": 7473
+      },
+      "writtenOn": "2015-05-07T20:45:54Z",
+      "side": 1,
+      "message": "I don\u0027t believe this is sufficient recommendations. We should provide recommendations around things like: \n\nHow to store password - bcrypt, scrypt, etc etc.\nWhich cipher suites to enable. \n\nI would also suggest adding some instruction for contacting the security team for advice cryptography implementations.",
+      "revId": "1430520eaebf7a587b582cb98b66812dd4c0b796",
+      "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543",
+      "unresolved": false
+    },
     {
       "key": {
         "uuid": "1aca2d91_4a476c4b",
@@ -170,6 +272,23 @@
       "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543",
       "unresolved": false
     },
+    {
+      "key": {
+        "uuid": "1aca2d91_ea6d1805",
+        "filename": "doc/source/guidelines/dg_validate-certificates.rst",
+        "patchSetId": 1
+      },
+      "lineNbr": 11,
+      "author": {
+        "id": 7473
+      },
+      "writtenOn": "2015-05-07T20:45:54Z",
+      "side": 1,
+      "message": "This is a bit of a contrived example. We should clearly outline the versions of the modules within the Python standard library that are affected by a verify\u003dFalse type configuration by DEFAULT. \n\n(I think httplib etc prior to Python 2.7.9?)",
+      "revId": "1430520eaebf7a587b582cb98b66812dd4c0b796",
+      "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543",
+      "unresolved": false
+    },
     {
       "key": {
         "uuid": "1aca2d91_aa97208f",