This list seems somewhat inactive, which I find a bit surprising, but I am very interested in one particular aspect of security when I build Clojure apps.
Right now my interest is in building REST web services and web applications backed by a relational database with something like Angular or Backbone at the front-end. I'm therefore interested in applying best practices in securing web applications for the public internet. I don't have a deep background in security, but as a seasoned Java developer I have a good idea of some of the security considerations for web applications, and I agree with another post here that OWASP is a very useful resource. My specific interests in security are mainly mitigations against: 1. SQL injection; 2. Cross-site scripting; 3. Request forgery. When it comes to the many libraries available for Clojure I struggle to find good information on these topics, so I'm unsure what is my responsibility as an app developer and what is being provided by those libraries for me. For example, based on Clojure tutorials I have built a Compojure web application that: 1. Accepts JSON from a client; 2. Inserts a database record based on the JSON (using the official JDBC wrappers). This is implemented in the most simple way possible: the JSON map is basically passed directly to the function that inserts that map in the database. I don't even name database columns and I don't filter text to mitigate against attacks. In my equivalent Java web application, I'd know to white-list keys for my JSON unmarshalling, I'd name explicit columns in my database operations, and I'd run the submitted user text through filters to strip out any malicious scripts or whatever, or escape the text when reading data back. I would have no confidence hosting this web application on the public internet in its current state. Now, admittedly my Clojure experience is limited (at time of writing I have about three part-time days of experience!), so these things may be obvious to others here, but right now this is the sort of thing I simply don't know how to do with Clojure and the third party libraries I'm using. By the way, I do use Friend already and I am finding it really useful. On Friday, 14 December 2012 17:36:57 UTC, Chas Emerick wrote: > > Some recent discussions related to my development of Friend have prompted > me to create a new group: > > https://groups.google.com/group/clojure-sec > "Dedicated to discussing security issues affecting those building > applications with Clojure and its variants." > > I'm sure many of us are building applications that have security > considerations. I think it would be helpful at this point if there were a > dedicated place for discussions around addressing those considerations; > thus, clojure-sec. > > We'll see what people actually want to talk about, but I'd be happy if any > of these classes of topics become common: > > * usage and design of particular security-related libraries and tools > * security-related tech available in the various host environments that we > can leverage from Clojure(Script/.CLR/-py/c/etc) > * Clojure-specific concerns (e.g. untrusted code evaluation / jailing) > * issues or weaknesses in particular Clojure implementations, libraries, > etc. > * discussion of more general-interest security topics that nevertheless > impinge upon our work in Clojure > * more, more, more > > I'm looking forward to learning. > > Cheers, > > - Chas > > -- > http://cemerick.com > [Clojure Programming from O'Reilly](http://www.clojurebook.com) > > -- -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to [email protected] Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
