[Owasp-leaders] Grails / Groovy security references - OWASP or otherwise
matt.tesauro at owasp.org
Tue Dec 11 19:19:15 UTC 2012
Thanks to everyone who pinged me directly or on the list.
I went ahead and added some references to the early draft of Grails Secure
Code Review Cheat Sheet:
All: Feel free to chime in on that cheat sheet.
-- Matt Tesauro
OWASP Board Member
OWASP WTE Project Lead
http://AppSecLive.org - Community and Download site
On Tue, Dec 11, 2012 at 7:18 AM, William Stranathan <will at thestranathans.com
> Sounds like a good cheatsheet. Fortunately, Grails has a lot of stuff
> built-in to help. Some really brief things off the top of my head:
> presentation on encoding properly for the context).
> * There are lots of built-in model validation constraints available to you
> - use them. And not just "it must not be null" or "it must be less than 20
> characters", but real format validation.
> * Use useToken on Forms
> * Do all the stuff listed in
> http://grails.org/doc/latest/guide/single.html#security - it *really* is
> pretty good, including XSRF prevention, although I think the "Guessable
> ID's" section could use some fleshing out (make a map of the objects the
> user should be able to access, check against that, or don't send PK's at
> all - send keys into the map).
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders