The purpose of this chapter is to scare you. You are most likely not doing enough to secure your application and your user data, and running a risk of an embarrassing security breach that could gain you a lot of unwanted attention. In Hollywood, they say that all publicity is good publicity, because whether it’s good or bad, it gets people thinking about you. But for websites, this is far less true; users need to trust your site, and if you violate that trust, they will find an alternative. I often joke at conferences when I talk about security that you want to end up on Slashdot because you are awesome, not because you got hacked.
Please note that this is a very cursory discussion of an important topic, and you should make it a priority that at least someone on your team is knowledgeable about security best practices.
The Open Web Application Security Project (OWASP) is an organization that collects web application security information and publishes a list of its top 10 highest-priority security risks for web apps; this list is updated every three years, and the most recent is from 2010. Grails does help mitigate some of the risks by default, and using a security plugin helps with others, but it’s important to be aware of the risks and to be security conscious.
SQL injection is the most common type of injection attack, and Grails applications are largely immune to these, but not entirely. An SQL injection attack typically consists of tricking ...