[Owasp-leaders] Grails / Groovy security references - OWASP or otherwise

Matt Tesauro matt.tesauro at owasp.org
Tue Dec 11 19:19:15 UTC 2012

Thanks to everyone who pinged me directly or on the list.

I went ahead and added some references to the early draft of Grails Secure
Code Review Cheat Sheet:

All: Feel free to chime in on that cheat sheet.


-- Matt Tesauro
OWASP Board Member
OWASP WTE Project Lead
http://AppSecLive.org - Community and Download site

On Tue, Dec 11, 2012 at 7:18 AM, William Stranathan <will at thestranathans.com
> wrote:

> Sounds like a good cheatsheet. Fortunately, Grails has a lot of stuff
> built-in to help. Some really brief things off the top of my head:
> * HTML/Javascript/URL Encode stuff as appropriate (see Manico's
> presentation on encoding properly for the context).
> * There are lots of built-in model validation constraints available to you
> - use them. And not just "it must not be null" or "it must be less than 20
> characters", but real format validation.
> * Use useToken on Forms
> * Do all the stuff listed in
> http://grails.org/doc/latest/guide/single.html#security - it *really* is
> pretty good, including XSRF prevention, although I think the "Guessable
> ID's" section could use some fleshing out (make a map of the objects the
> user should be able to access, check against that, or don't send PK's at
> all - send keys into the map).
> Will
> [snip]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20121211/d21f8d80/attachment.html>

More information about the OWASP-Leaders mailing list