[ANN] clojure-sec

[Chas Emerick]

Some recent discussions related to my development of Friend have prompted me to create a new group:

https://groups.google.com/group/clojure-sec
"Dedicated to discussing security issues affecting those building applications with Clojure and its variants."

I'm sure many of us are building applications that have security considerations. I think it would be helpful at this point if there were a dedicated place for discussions around addressing those considerations; thus, clojure-sec.

We'll see what people actually want to talk about, but I'd be happy if any of these classes of topics become common:

* usage and design of particular security-related libraries and tools
* security-related tech available in the various host environments that we can leverage from Clojure(Script/.CLR/-py/c/etc)
* Clojure-specific concerns (e.g. untrusted code evaluation / jailing)
* issues or weaknesses in particular Clojure implementations, libraries, etc.
* discussion of more general-interest security topics that nevertheless impinge upon our work in Clojure
* more, more, more

I'm looking forward to learning.

Cheers,

- Chas

--
http://cemerick.com
[Clojure Programming from O'Reilly](http://www.clojurebook.com)

[Jonathan Irving]

Neat!

I realize this isn't exclusively web-oriented, but given Friend, I expect that will dominate. So, I give you OWASP:

   https://www.owasp.org/index.php/Main_Page

There is a lot of documented and codified experience in OWASP that may be fruitfully extracted and hopefully contributed back in the form of Clojure implementations.

cheers, J

[Chas Emerick]

Thanks for that :-)

I sincerely hope that Friend becomes but a footnote in the overall mix.  There's a lot of interesting questions about security w.r.t. Clojure applications; web authentication and authorization is perhaps one common denominator to a certain degree, but I don't think that means it should have any particular dominance (if anything, especially once it matures, I'd hope it becomes an uninteresting given).

- Chas

--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clo...@googlegroups.com
Note that posts from new members are moderated - please be patient with your first post.
To unsubscribe from this group, send email to
clojure+u...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en

[Jonathan Irving]

On Friday, December 14, 2012 3:33:51 PM UTC-5, Chas Emerick wrote:

Thanks for that :-)

I sincerely hope that Friend becomes but a footnote in the overall mix.  There's a lot of interesting questions about security w.r.t. Clojure applications; web authentication and authorization is perhaps one common denominator to a certain degree, but I don't think that means it should have any particular dominance (if anything, especially once it matures, I'd hope it becomes an uninteresting given).

Web app security tends to dominate because web apps dominate in terms of attack surface. The opportunities they present are unprecedented in scale and reach. They are quite boring problems to solve though, and I look forward to seeing a no-brainer selection of Ring middleware that solves a bunch of them. That doesn't exist yet though as far as I can make out.

The security of higher value, less archetypal systems is more interesting to be sure. I could see immutable data structures being a natural fit for apps where classification and labelling are required, for example. I wonder if we'll see anyone show up here who is working on such apps, and also able to talk about it.

But yes, I look forward to not spending 95% of my time thinking about web applications (which is one of the reasons I am drawn to Clojure :)).

cheers, J 

[wm.ma...@gmail.com]

This list seems somewhat inactive, which I find a bit surprising, but I am very interested in one particular aspect of security when I build Clojure apps.

Right now my interest is in building REST web services and web applications backed by a relational database with something like Angular or Backbone at the front-end. I'm therefore interested in applying best practices in securing web applications for the public internet.

I don't have a deep background in security, but as a seasoned Java developer I have a good idea of some of the security considerations for web applications, and I agree with another post here that OWASP is a very useful resource. My specific interests in security are mainly mitigations against:

1. SQL injection;

2. Cross-site scripting;

3. Request forgery.

When it comes to the many libraries available for Clojure I struggle to find good information on these topics, so I'm unsure what is my responsibility as an app developer and what is being provided by those libraries for me.

For example, based on Clojure tutorials I have built a Compojure web application that:

1. Accepts JSON from a client;

2. Inserts a database record based on the JSON (using the official JDBC wrappers).

This is implemented in the most simple way possible: the JSON map is basically passed directly to the function that inserts that map in the database. I don't even name database columns and I don't filter text to mitigate against attacks. 

In my equivalent Java web application, I'd know to white-list keys for my JSON unmarshalling, I'd name explicit columns in my database operations, and I'd run the submitted user text through filters to strip out any malicious scripts or whatever, or escape the text when reading data back.

I would have no confidence hosting this web application on the public internet in its current state.

Now, admittedly my Clojure experience is limited (at time of writing I have about three part-time days of experience!), so these things may be obvious to others here, but right now this is the sort of thing I simply don't know how to do with Clojure and the third party libraries I'm using.

By the way, I do use Friend already and I am finding it really useful.