[Owasp-leaders] Grails / Groovy security references - OWASP or otherwise

William Stranathan will at thestranathans.com
Tue Dec 11 13:18:40 UTC 2012


Sounds like a good cheatsheet. Fortunately, Grails has a lot of stuff
built-in to help. Some really brief things off the top of my head:

* HTML/Javascript/URL Encode stuff as appropriate (see Manico's
presentation on encoding properly for the context).
* There are lots of built-in model validation constraints available to you
- use them. And not just "it must not be null" or "it must be less than 20
characters", but real format validation.
* Use useToken on Forms
* Do all the stuff listed in
http://grails.org/doc/latest/guide/single.html#security - it *really* is
pretty good, including XSRF prevention, although I think the "Guessable
ID's" section could use some fleshing out (make a map of the objects the
user should be able to access, check against that, or don't send PK's at
all - send keys into the map).

Will

On Tue, Dec 11, 2012 at 4:24 AM, <owasp-leaders-request at lists.owasp.org>wrote:

> Send OWASP-Leaders mailing list submissions to
>         owasp-leaders at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
> or, via email, send a message with subject or body 'help' to
>         owasp-leaders-request at lists.owasp.org
>
> You can reach the person managing the list at
>         owasp-leaders-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of OWASP-Leaders digest..."
>
>
> Today's Topics:
>
>    1. Your Organization (Tom Brennan)
>    2. Grails / Groovy security references - OWASP or    otherwise
>       (Matt Tesauro)
>    3. Call for Trainers (Israel Bryski)
>    4. Purpose of Leaders List (Michael Coates)
>    5. Re: Good Code Advice Requested (Eoin)
>    6. Re: Good Code Advice Requested (Dennis Groves)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 10 Dec 2012 11:22:24 -0500
> From: Tom Brennan <tomb at owasp.org>
> To: Leaders OWASP <owasp-leaders at lists.owasp.org>
> Subject: [Owasp-leaders] Your Organization
> Message-ID: <91D7CBEC-A360-470B-8901-BC03BFC01B64 at owasp.org>
> Content-Type: text/plain; charset="us-ascii"
>
> Every month the OWASP Board and Staff meet to discuss OWASP today it's at
> 12pm EST and the last one for 2012
>
> See:
> https://www.owasp.org/index.php/Dec_10,_2012
>
> History/Meeting Mins
> https://www.owasp.org/index.php/OWASP_Board_Meetings
>
>
> Tom Brennan
> 973-202-0122
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.owasp.org/pipermail/owasp-leaders/attachments/20121210/daed84e7/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Mon, 10 Dec 2012 14:38:18 -0600
> From: Matt Tesauro <matt.tesauro at owasp.org>
> To: owasp leaders list <owasp-leaders at lists.owasp.org>
> Subject: [Owasp-leaders] Grails / Groovy security references - OWASP
>         or      otherwise
> Message-ID:
>         <CALKUk+N4cWtDsBTt=
> gpY4jn+ZLzXbY7vYtyn7rrJJhYSY8VqGQ at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> I know I've seen several mentions of Grails and Groovy on various OWASP
> lists and I'm wondering if anyone out there has some good security
> references for Grails and/or Groovy.
>
> I've got a developer looking at this as a potential development platform
> and is asking about the security references as well as the security track
> record for Grails.  Its not an area I have any real experience in so I'm
> asking da leaders in hopes the community has more then my Google searching
> can turn up.
>
> Thanks.
>
> --
> -- Matt Tesauro
> OWASP Board Member
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.owasp.org/pipermail/owasp-leaders/attachments/20121210/4024f038/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 3
> Date: Mon, 10 Dec 2012 16:47:46 -0500
> From: Israel Bryski <israel.bryski at owasp.org>
> To: owasp-leaders at lists.owasp.org
> Subject: [Owasp-leaders] Call for Trainers
> Message-ID:
>         <CAMT+AGKMaw3iSwrBNCZJ5+7=
> zqOTm1bGRpFxHZ8cdC3xVrx9qw at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Leaders,
>
>
> The NY and NJ OWASP Chapters will be hosting a full day training event
> during Q1 2013.
>
> Our Call for Trainers (CFT) is now open! If you would like to be a trainer,
> please complete this form:
> https://www.owasp.org/images/8/85/OWASP_CFT_Template-1-.doc and send to
> israel.bryski at owasp.org. Please review the results of our "Training Class
> Poll" <http://www.meetup.com/OWASP-NYC/polls/693722/> before selecting a
> topic and submitting your proposal.
>
>
> We will be taking a similar CFT approach for the upcoming AppSecUSA 2013
> conference in NYC. Details to follow in the coming months.
>
>
> Thanks,
>
> Israel
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.owasp.org/pipermail/owasp-leaders/attachments/20121210/dbcfe408/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 4
> Date: Mon, 10 Dec 2012 17:09:14 -0800
> From: Michael Coates <michael.coates at owasp.org>
> To: OWASP Leaders <owasp-leaders at lists.owasp.org>
> Subject: [Owasp-leaders] Purpose of Leaders List
> Message-ID:
>         <
> CAKA9LHwsW3gHW2zhcVijVwtCT0dUnvMQj3RcT7rV3Tjk9TA0Pg at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Leaders,
>
> What do you want the OWASP leaders list to be used for?  Are you more
> interested in discussing application security techniques, OWASP projects,
> chapters, conferences & industry news?  Are you interested in OWASP
> governance and internals being discussed here?
>
> I ask because I'd like to find a place to regularly post notices of items
> being discussed at the board level, new ideas for governance and  owasp
> structure, OWASP budget and funds etc.  I realize some people may be
> interested in this information and want to contribute and others may not.
> I want to avoid having long threads on these topics in a place where the
> majority of people are just deleting the emails.
>
> So, my question is this - would you like OWASP governance items on the
> OWASP leaders list? Or would you prefer the creation of OWASP-governance
> mailing list that would specifically focus on this item?
>
>
>
> Thanks!
>
>
> --
> Michael Coates | OWASP | @_mwc
> michael-coates.blogspot.com
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.owasp.org/pipermail/owasp-leaders/attachments/20121210/ea906c3f/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 5
> Date: Tue, 11 Dec 2012 09:05:44 +0000
> From: Eoin <eoin.keary at owasp.org>
> To: Jim Manico <jim.manico at owasp.org>
> Cc: Leaders <owasp-leaders at lists.owasp.org>
> Subject: Re: [Owasp-leaders] Good Code Advice Requested
> Message-ID: <5D72A56C-6EC3-4931-9B2D-E553EF9C28B7 at owasp.org>
> Content-Type: text/plain;       charset=us-ascii
>
> +1
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 9 Dec 2012, at 20:31, Jim Manico <jim.manico at owasp.org> wrote:
>
> > One other note, CAPTCHA is not a security control - it's just a cost
> barrier. Threat agents can easily leverage "mechanical Turk" services where
> underneath the hood of malware or other attacks is a large team of people
> resolving CAPTCHA's by hand all day. There is no way to defeat this.
> >
> > Also, some CAPTCHA systems, even audio, are vulnerable to automated
> resolution.
> >
> > Now a lot of folks use it, it IS a cost barrier for attackers.
> >
> > But please never use CAPTCHA for things like access control,
> authentication or other more robust security controls in code.
> >
> > Fair?
> >
> > Regards,
> > Jim Manico
> > OWASP Volunteer
> > @Manicode
> >
> >> Hi Petr, it sounds very interesting, but I'm not sure what the
> >> sub-project is or what type of feedback you are requesting.  It is
> >> going to be an opensource tool project?  It appears that its being
> >> offered as a service right now.  Also, I'm not sure how this is
> >> implemented.  The three examples you have on your website show how
> >> Good Code can be implemented with a CAPCHA, but its not clear how the
> >> process works or if Good Code provides both the CAPCHA and the Email
> >> Service, or only the Email Service allowing people to use any CAPCHA
> >> they want.  Could you provide a more detailed explanation of what Good
> >> Code does?
> >>
> >> Also, one other technical point.  Words and audio in CAPCHAs are not
> >> "encrypted".  It would be more correct to say they are "distorted".
> >> Justin Searle
> >> Managing Partner - UtiliSec
> >> 801-784-2052
> >>
> >>
> >> On Wed, Dec 5, 2012 at 9:00 AM, Samantha Groves
> >> <samantha.groves at owasp.org> wrote:
> >>> Hello Leaders,
> >>>
> >>> This e-mail is from Petr Zavodsky from the OWASP Czech Republic. See
> below:
> >>>
> >>>
> >>> -------------------
> >>> Hi Leaders,
> >>>
> >>> New subproject "Dobry kod" (in english: "Good Code" :)) (a followup
> part of
> >>> OWASP Web Application Security Accessibility Project):
> >>>
> >>> http://www.dobrykod.cz/en/
> >>>
> >>> Users with sight impairment, dyslexia, and other similar conditions may
> >>> experience difficulties with reading the encrypted characters in the
> picture
> >>> of a CAPTCHA code.
> >>>
> >>> For this reason picture-based security tests can be supplemented with
> audio
> >>> version, where the sound is distorted to prevent unwanted bots form
> >>> accessing the information. Unfortunately, safely encrypted audio
> recordings
> >>> are less discernible or almost indiscernible even for users with
> perfect
> >>> hearing. Further difficulties can arise due to different phonetic
> systems of
> >>> the user's language and the language of the recording.
> >>>
> >>> Please, send me your questions, objections etc.
> >>>
> >>> Thanks,
> >>>
> >>> Petr Zavodsky
> >>>
> >>> OWASP Czech Republic
> >>> -------------------
> >>>
> >>> --
> >>>
> >>> Samantha Groves, MBA
> >>>
> >>> OWASP Project Manager
> >>>
> >>>
> >>> The OWASP Foundation
> >>>
> >>> London, United Kingdom
> >>>
> >>> Email: samantha.groves at owasp.org
> >>>
> >>> Skype: samanthahz
> >>>
> >>>
> >>> Book a Meeting with Me
> >>>
> >>> OWASP Contact US Form
> >>>
> >>> New Project Application Form
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> OWASP-Leaders mailing list
> >>> OWASP-Leaders at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> ------------------------------
>
> Message: 6
> Date: Tue, 11 Dec 2012 09:17:05 +0000
> From: "Dennis Groves" <dennis.groves at owasp.org>
> To: Eoin <eoin.keary at owasp.org>
> Cc: Leaders <owasp-leaders at lists.owasp.org>
> Subject: Re: [Owasp-leaders] Good Code Advice Requested
> Message-ID: <BB90A1FB-DA98-4450-8E19-13B8A9C1E7FD at owasp.org>
> Content-Type: text/plain; format=flowed
>
> I know I am a bit extreme - however, for my part I can almost always
> takes me 3-4 attempts to solve captcha's because they have become so
> convoluted and extreme in their attempts to defeat the many automated
> resolvers. As such, when I encounter a captcha I often will not join
> your site or purchase your product as I didn't really need it that badly
> in the first place.
>
> Dennis
>
> --
> [Dennis Groves](http://about.me/dennis.groves), MSc
> [Email me](mailto:dennis.groves at owasp.org) or [schedule a
> meeting](http://goo.gl/8sPIy).
>
> *This email is licensed under a [CC BY-ND
> 3.0](http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB) license.*
>
> **Please do not send me Microsoft Office/Apple iWork documents.**
> Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
> Stand up for your freedom to install [free
> software](http://www.fsf.org/campaigns/secure-boot/statement).
>
> On 11 Dec 2012, at 9:05, Eoin wrote:
>
> > +1
> >
> > Eoin Keary
> > Owasp Global Board
> > +353 87 977 2988
> >
> >
> > On 9 Dec 2012, at 20:31, Jim Manico <jim.manico at owasp.org> wrote:
> >
> >> One other note, CAPTCHA is not a security control - it's just a cost
> >> barrier. Threat agents can easily leverage "mechanical Turk" services
> >> where underneath the hood of malware or other attacks is a large team
> >> of people resolving CAPTCHA's by hand all day. There is no way to
> >> defeat this.
> >>
> >> Also, some CAPTCHA systems, even audio, are vulnerable to automated
> >> resolution.
> >>
> >> Now a lot of folks use it, it IS a cost barrier for attackers.
> >>
> >> But please never use CAPTCHA for things like access control,
> >> authentication or other more robust security controls in code.
> >>
> >> Fair?
> >>
> >> Regards,
> >> Jim Manico
> >> OWASP Volunteer
> >> @Manicode
> >>
> >>> Hi Petr, it sounds very interesting, but I'm not sure what the
> >>> sub-project is or what type of feedback you are requesting.  It is
> >>> going to be an opensource tool project?  It appears that its being
> >>> offered as a service right now.  Also, I'm not sure how this is
> >>> implemented.  The three examples you have on your website show how
> >>> Good Code can be implemented with a CAPCHA, but its not clear how
> >>> the
> >>> process works or if Good Code provides both the CAPCHA and the Email
> >>> Service, or only the Email Service allowing people to use any CAPCHA
> >>> they want.  Could you provide a more detailed explanation of what
> >>> Good
> >>> Code does?
> >>>
> >>> Also, one other technical point.  Words and audio in CAPCHAs are not
> >>> "encrypted".  It would be more correct to say they are "distorted".
> >>> Justin Searle
> >>> Managing Partner - UtiliSec
> >>> 801-784-2052
> >>>
> >>>
> >>> On Wed, Dec 5, 2012 at 9:00 AM, Samantha Groves
> >>> <samantha.groves at owasp.org> wrote:
> >>>> Hello Leaders,
> >>>>
> >>>> This e-mail is from Petr Zavodsky from the OWASP Czech Republic.
> >>>> See below:
> >>>>
> >>>>
> >>>> -------------------
> >>>> Hi Leaders,
> >>>>
> >>>> New subproject "Dobry kod" (in english: "Good Code" :)) (a followup
> >>>> part of
> >>>> OWASP Web Application Security Accessibility Project):
> >>>>
> >>>> http://www.dobrykod.cz/en/
> >>>>
> >>>> Users with sight impairment, dyslexia, and other similar conditions
> >>>> may
> >>>> experience difficulties with reading the encrypted characters in
> >>>> the picture
> >>>> of a CAPTCHA code.
> >>>>
> >>>> For this reason picture-based security tests can be supplemented
> >>>> with audio
> >>>> version, where the sound is distorted to prevent unwanted bots form
> >>>> accessing the information. Unfortunately, safely encrypted audio
> >>>> recordings
> >>>> are less discernible or almost indiscernible even for users with
> >>>> perfect
> >>>> hearing. Further difficulties can arise due to different phonetic
> >>>> systems of
> >>>> the user's language and the language of the recording.
> >>>>
> >>>> Please, send me your questions, objections etc.
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Petr Zavodsky
> >>>>
> >>>> OWASP Czech Republic
> >>>> -------------------
> >>>>
> >>>> --
> >>>>
> >>>> Samantha Groves, MBA
> >>>>
> >>>> OWASP Project Manager
> >>>>
> >>>>
> >>>> The OWASP Foundation
> >>>>
> >>>> London, United Kingdom
> >>>>
> >>>> Email: samantha.groves at owasp.org
> >>>>
> >>>> Skype: samanthahz
> >>>>
> >>>>
> >>>> Book a Meeting with Me
> >>>>
> >>>> OWASP Contact US Form
> >>>>
> >>>> New Project Application Form
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> OWASP-Leaders mailing list
> >>>> OWASP-Leaders at lists.owasp.org
> >>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>> _______________________________________________
> >>> OWASP-Leaders mailing list
> >>> OWASP-Leaders at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> ------------------------------
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> End of OWASP-Leaders Digest, Vol 80, Issue 13
> *********************************************
>



-- 
-- coleslaw
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20121211/2fc2e8fe/attachment-0001.html>


More information about the OWASP-Leaders mailing list