[Owasp-leaders] Grails / Groovy security references - OWASP or otherwise

Jim Manico jim.manico at owasp.org
Wed Dec 12 00:30:25 UTC 2012


This is very promising work and I'm glad you are a cheater. Welcome to 
the OWASP Cheat Sheet Series once again. :)


Mike, I'm also very excited to see you contribute to OWASP and 
participate in the community once again.

You're one of the bright ones and I'm grateful for your assistance and 

Jim Manico
OWASP Volunteer

> Thanks to everyone who pinged me directly or on the list.
> I went ahead and added some references to the early draft of Grails Secure
> Code Review Cheat Sheet:
> https://www.owasp.org/index.php/Grails_Secure_Code_Review_Cheat_Sheet
> All: Feel free to chime in on that cheat sheet.
> Cheers!
> --
> -- Matt Tesauro
> OWASP Board Member
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> On Tue, Dec 11, 2012 at 7:18 AM, William Stranathan <will at thestranathans.com
>> wrote:
>> Sounds like a good cheatsheet. Fortunately, Grails has a lot of stuff
>> built-in to help. Some really brief things off the top of my head:
>> * HTML/Javascript/URL Encode stuff as appropriate (see Manico's
>> presentation on encoding properly for the context).
>> * There are lots of built-in model validation constraints available to you
>> - use them. And not just "it must not be null" or "it must be less than 20
>> characters", but real format validation.
>> * Use useToken on Forms
>> * Do all the stuff listed in
>> http://grails.org/doc/latest/guide/single.html#security - it *really* is
>> pretty good, including XSRF prevention, although I think the "Guessable
>> ID's" section could use some fleshing out (make a map of the objects the
>> user should be able to access, check against that, or don't send PK's at
>> all - send keys into the map).
>> Will
>> [snip]
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20121211/40ee3d0a/attachment-0001.html>

More information about the OWASP-Leaders mailing list