[Owasp-leaders] Grails / Groovy security references - OWASP or otherwise
jim.manico at owasp.org
Wed Dec 12 00:30:25 UTC 2012
This is very promising work and I'm glad you are a cheater. Welcome to
the OWASP Cheat Sheet Series once again. :)
Mike, I'm also very excited to see you contribute to OWASP and
participate in the community once again.
You're one of the bright ones and I'm grateful for your assistance and
> Thanks to everyone who pinged me directly or on the list.
> I went ahead and added some references to the early draft of Grails Secure
> Code Review Cheat Sheet:
> All: Feel free to chime in on that cheat sheet.
> -- Matt Tesauro
> OWASP Board Member
> OWASP WTE Project Lead
> http://AppSecLive.org - Community and Download site
> On Tue, Dec 11, 2012 at 7:18 AM, William Stranathan <will at thestranathans.com
>> Sounds like a good cheatsheet. Fortunately, Grails has a lot of stuff
>> built-in to help. Some really brief things off the top of my head:
>> presentation on encoding properly for the context).
>> * There are lots of built-in model validation constraints available to you
>> - use them. And not just "it must not be null" or "it must be less than 20
>> characters", but real format validation.
>> * Use useToken on Forms
>> * Do all the stuff listed in
>> http://grails.org/doc/latest/guide/single.html#security - it *really* is
>> pretty good, including XSRF prevention, although I think the "Guessable
>> ID's" section could use some fleshing out (make a map of the objects the
>> user should be able to access, check against that, or don't send PK's at
>> all - send keys into the map).
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders