Document update - Added serialization to Security section

geode-book/master_middleman/source/subnavs/geode-subnav.erb

@@ -159,6 +159,9 @@ limitations under the License.
                                     </li>
                                 </ul>
                             </li>
+                            <li>
+                                <a href="/docs/guide/<%=vars.product_version_nodot%>/security/serialization.html">Serialization</a>
+                            </li>
                         </ul>
             </li>
 

geode-docs/security/chapter_overview.html.md.erb

@@ -48,3 +48,7 @@ The security framework permits authentication of connecting components and autho
 -   **[SSL](../security/ssl_overview.html)**
 
     SSL protects your data in transit between applications.
+
+-   **[Serialization](../security/serialization.html)**
+
+    This section describes the serialization mechanisms available in Apache Geode, including global serialization filters and PDX serialization.

geode-docs/security/implementing_security.html.md.erb

@@ -37,6 +37,8 @@ SSL-based, rather than plain socket connections.
 You can enable SSL separately for peer-to-peer, client, JMX, gateway senders and receivers, and HTTP connections.
 -   **Post processing of region data**. Return values for operations that
 return region values may be formatted.
+-   **Serialization**. Control and filter object serialization, particularly 
+ in the context of security and performance.
 
 ## Overview
 

geode-docs/security/security_model.html.md.erb

@@ -22,9 +22,10 @@ Every component of Apache Geode is built with security considerations as a top p
 solutions require user-specific design and implementation. Geode's default configuration combines maximum flexibility
 and performance without any input needed from the user. Because of this, certain security measures like 
 **[authentication](authentication_overview.html)**, 
-**[authorization](authorization_overview.html)** and 
+**[authorization](authorization_overview.html)**,
+**[serialization](../security/serialization.html)** and 
 **[over-the-wire encryption](ssl_overview.html)** 
-are absent from a default Geode installation. 
+are absent from a default Geode installation.
 It is highly recommended that users review Geode's security capabilities and implement them as they see fit. See the 
 **[Security Implementation Introduction and Overview](implementing_security.html)**
 to get started with Apache Geode security.
@@ -33,3 +34,4 @@ Additional documentation related to security can be found on Apache Geode Wiki
 
 [Geode Security Framework](https://cwiki.apache.org/confluence/display/GEODE/Geode+Security+Framework) and 
 [Geode Integrated Security](https://cwiki.apache.org/confluence/display/GEODE/Geode+Integrated+Security).
+

geode-docs/security/serialization.html.md.erb

@@ -0,0 +1,54 @@
+---
+title:  Serialization
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+Apache Geode offers mechanisms to control and filter object serialization, particularly 
+ in the context of security and performance. This is primarily achieved through:
+
+
+##  Global Serialization Filter (Java)
+
+For deployments using Java, a global serialization filter can be enabled to restrict the types of objects that can be serialized and 
+deserialized within the Geode process. This helps mitigate risks associated with deserialization of untrusted data, a common vulnerability.
+
+- To enable this, the Java system property `geode.enableGlobalSerialFilter` is set to true when starting Geode locators and servers.
+
+- Additionally, the `serializable-object-filter` configuration option, used in conjunction with `validate-serializable-objects,` is used to 
+specify a whitelist of user-defined classes that are allowed to be serialized/deserialized, in addition to standard JDK and Geode classes. 
+ This allows for fine-grained control over which custom objects are permitted in the system.
+
+##  PDX Serialization
+
+Apache Geode's Portable Data eXchange (PDX) serialization offers a more robust and flexible approach to data serialization, providing features
+like schema evolution and language independence. While not a "filter" in the same sense as the global serialization filter, PDX provides control
+over how objects are serialized and deserialized.
+
+- **PdxSerializer:** You can implement a custom `PdxSerializer` to define how specific domain objects are serialized and deserialized, allowing
+ for selective handling of fields or transformations during the process.
+
+- **Reflection-Based Auto-Serialization:** PDX also supports automatic reflection-based serialization, where Geode can serialize objects without
+ requiring explicit implementation of `PdxSerializable` in your domain classes. This can be configured to include or exclude specific types based
+  on criteria like package names, providing a form of type filtering.
+
+
+
+
+ In conclusion, Apache Geode provides serialization filtering capabilities through a global filter for security hardening in Java 8 environments and
+   through the flexible configurations of PDX serialization for fine-grained control over data handling and type inclusion/exclusion.