[Owasp-leaders] Grails / Groovy security references - OWASP or otherwise

Matt Tesauro matt.tesauro at owasp.org
Tue Dec 11 19:19:15 UTC 2012


Thanks to everyone who pinged me directly or on the list.

I went ahead and added some references to the early draft of Grails Secure
Code Review Cheat Sheet:
https://www.owasp.org/index.php/Grails_Secure_Code_Review_Cheat_Sheet

All: Feel free to chime in on that cheat sheet.

Cheers!

--
-- Matt Tesauro
OWASP Board Member
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site



On Tue, Dec 11, 2012 at 7:18 AM, William Stranathan <will at thestranathans.com
> wrote:

>
> Sounds like a good cheatsheet. Fortunately, Grails has a lot of stuff
> built-in to help. Some really brief things off the top of my head:
>
> * HTML/Javascript/URL Encode stuff as appropriate (see Manico's
> presentation on encoding properly for the context).
> * There are lots of built-in model validation constraints available to you
> - use them. And not just "it must not be null" or "it must be less than 20
> characters", but real format validation.
> * Use useToken on Forms
> * Do all the stuff listed in
> http://grails.org/doc/latest/guide/single.html#security - it *really* is
> pretty good, including XSRF prevention, although I think the "Guessable
> ID's" section could use some fleshing out (make a map of the objects the
> user should be able to access, check against that, or don't send PK's at
> all - send keys into the map).
>
> Will
>
> [snip]
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20121211/d21f8d80/attachment.html>


More information about the OWASP-Leaders mailing list