The Go Security Checklist

Improve the security of your Go application with the Go Security Checklist

your progress
0% complete

Categories

Get the PDF version

Code

  • Don’t implement your own crypto

    Unless you’re a security expert — and even if you are — never implement your own crypto. Doing so is a common cause of security errors, as too few eyes have had a chance to review the code. Instead, use publicly reviewed, critiqued, and tested libraries such as https://golang.org/pkg/crypto/[the crypto package] in Go’s standard library. Then, educate yourself as much as possible on cryptography, by reading such books as GoCrypto by Kyle Isom, or take the Cryptography course on Pluralsight.

    Read more:

  • Keep your dependencies up to date

    Most modern code relies on third-party dependencies. These need to be managed effectively, kept up to date, and scanned for vulnerabilities to ensure that your code is not exposed when using them. Use godep as your dependency manager and keep up to date with all of your dependencies.

    Scan all third-party libraries regularly for known security issues using a security scanner such as gosec. You can also manage your dependencies and ensure that you’re notified if you’re using vulnerable ones with Sqreen.

    Read more:

  • Never store sensitive data in sessions

    No sensitive data should ever be stored in a session. Ideally, only a minimum of data should ever be stored in a session. Otherwise, the information may result in unauthorized disclosure should the server be breached.

    Read more:

  • Don’t cache sensitive data

    When you cache data to speed up your application, such as database requests, ensure that sensitive data isn’t cached.

    Read more:

  • Store passwords using strong hashing functions

    Ensure that all passwords and other potentially sensitive data are hashed, using robust hashing functions such as Bcrypt.

    Don’t use weak and vulnerable hashing functions, such as MD5 and SHA1.

    Read more:

  • Use secure middleware

    When writing secure web-based applications, there is a lot to think of and get right. Reduce the development overhead by using secure middleware that provides security features such as XSS protection, CSP headers, SSL checks, and redirects.

  • Write simpler, more readable code

    Code is read far more than it is ever written. Simpler code is easier to read and debug. Help reduce the complexity of your code by making use of static analyzers such as staticcheck.io and GoReporter.

  • Authenticate your application

    Ensure that only authenticated users are allowed into your application. Authentication defines whether a user is admitted into your system and is the first barrier to someone gaining access to your application.

    Read more:

  • Enforce access control with a reputable library

    To ensure that access to sensitive data and sections of your application are both authenticated and authorized, use mature ACL (Access Control Library) and RBAC (Role-Based Access Control) packages.

    Read more:

  • Log all the things

    Regardless of whether you’re logging input validation failures, access control failures, or system-level exceptions, make sure that you’re logging, and with an easy to use and mature package, such as Go’s log package, Logrus, or glog.

    Read more:

  • Never log sensitive data

    Here’s the exception. While it’s essential to instrument applications and log events of all forms so that we have information to respond when things go wrong, we must ensure that no sensitive data is ever written to the logs.

    Additionally, OWASP recommends that a cryptographic hash function be used to ensure no log tampering has taken place.

    Read more:

  • Be aware of vulnerabilities and security advisories

    Even the best software contains bugs and security vulnerabilities, and the best developers make security-related mistakes. Make sure that you and your team stay up to date about all the latest vulnerabilities and security advisories, so that you are prepared when the time comes to patch your code.

    Read more:

    • golang-announce - The golang release mailing list.
    • CVE - Known Go Vulnerabilities (in the language and packages).
    • NVD - Find Golang known vulnerabilities in the National Vulnerability Database.
  • Filter and validate all data

    Regardless of where the data comes from, whether that’s a configuration file, server environment, user input — or anywhere else — do not trust it! Filter and validate it! Do this by using one of the available Go libraries.

    Read more:

  • Always perform output filtering

    No matter where your application outputs information, avoid exposing your users to CSRF (Cross-Site Request Forgery) and XSS (Cross-Site Scripting), and other forms of attacks by performing context-aware output filtering.

    Read more:

  • Stay up to date with the latest Go version

    Go, like most languages, improves with each release, containing bug and security fixes for previous releases, as well as other language features, which can include those with an emphasis on security. Stay up to date with the latest Go version as much as possible.

  • Use an application security testing tool like a SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), or IAST (Interactive Application Security Testing)

    Testing your code pre-production is a smart way to reduce the number of vulnerabilities that make it to production and proactively uncover potential security flaws. There are several different types of tools that aim to help you do this. A SAST scans source code looking for vulnerable code or potentially vulnerable code. However, without any context as to how the application comes together, SAST tools often generate a large number of false positives and false negatives.

    A DAST stresses your application from the outside, pre-production, by sending a wide range of malicious requests. DASTs have the advantage of simulating traffic and seeing how your application handles it, rather than just looking at the code, but often take extremely long to run and also generate a fair number of false positives, since they are application-blind.

    An IAST leverages your production traffic data to more intelligently fuzz your application, giving you a higher signal-to-noise ratio and a faster runtime. However, for new code that hasn’t been in production yet, IASTs may not catch the vulnerabilities therein.

    Read more:

  • Use OWASP secure coding practices

    Use the OWASP secure coding practices for Go to avoid programming mistakes that could lead to vulnerabilities: https://owasp.org/www-project-go-secure-coding-practices-guide/

  • Integrate linters into your CI

    Integrate linters to automatically detect static source-code issues. Linters can help you catch obvious vulnerabilities before they reach production.

    Read more:

Infrastructure

Protection

Trusted by security teams, loved by developers.

Monitoring and protection platform made to be incredibly powerful yet very easy to use.

Want this handbook as a PDF?

Scan the QR-code, or go to:

https://www.sqreen.com/checklists/the-go-security-checklist

Paper plan illustration

Get your bi-weekly security dose!

Hand-picked security content for Developers, DevOps and Security.
No Spam. Just awesome content.