Writing Secure Go code

AppsFlyer ∴ 2022

Miki Tebeka [email protected], @tebeka, mikitebeka, blog

Shameless Plugs

• Go Brain Teasers
• LinkedIn Learning

Agenda

• Common security threats (OWASP top 10)
• Avoiding injection
• Secure HTTP requests
• Avoiding sensitive data leak
• Handling secrets
• The security mindset and adding security to your development process

Terminal Log

Links

• golang.org/x/time/rate - Rate limiting
• Let's talk about logging by Dave Cheney
• Go Security Policy
• Awesome security tools
• How our security team handles secrets
• HTTPS
  • openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj /CN=localhost
  • x/crypto/autocert
  • Using Let's Encrypt in Go
• Customizing Binaries with Build Tags
• Books
  • Security with Go
  • Black Hat Go book
• Search for AWS keys in GitHub
• Fallacies of distributed computing
• cue - Language for data validation
• Serialization Vulnerabilities
  • XML Billion Laughs attack
  • Java Parse Float
• Understanding HTML templates in Go
• SQL
  • database/sql
  • sqlx
  • gorm
• Resilient net/http servers
• Context on the Go blog
• Customizing Binaries with Build Tags
• Our Software Depenedcy Problem
• Go's CVE List
• Static tools
  • gosec
  • go install golang.org/x/vuln/cmd/govulncheck@latest
  • staticcheck
  • Use x/tools/analysis to write your own (see here for an example)
  • golangci-lint
• The newembed package
• OWASP Top 10
• The Security Mindset by Bruce Schneier
• Effective Go - Read this!

Data & Other

• ./run-db.sh
  • Will start postgres on port 5432
• docker exec -it <ID> psql -U postgres
  • or pgcli -p 5432 -U postgres -h localhost
• curl -d@_ws/add-1.json http://localhost:8080/api/journal
  • Try with add-2.json and add-3.json
• openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj /CN=localhost