Go Security Vulnerabilities and Language Overview Learn how Checkmarx can secure your Go applications What is Go? Go Programming Language (also known as Golang) was created by Googlers Robert Griesemer, Ken Thompson, and Rob Pike in 2009. Golang’s compiler and language tools are all free and open source by nature. Go makes it easy and simple for developers to build solid and efficient code as it’s a compiled and open source programming language. With its ease of use and positive rise in power, Go is considered to be innovative and an evolution of considerably conservative languages, such as C++. With that said, it’s clear why Go is attracting programmers from far and wide. Since its launch, Go has been climbing the charts in popularity with users. For a few years in a row, Golang is ranked in the top five most loved programming languages and came in at number three in the “most wanted” programming language section of Stack Overflow’s 2017 developer survey. Furthermore, Go developers are among the highest paid, according to the thousands of respondents of the same survey. The number of enterprises and developers using Go continues to soar. Among the hundreds of companies and organizations using Go to code their projects, names like Adobe, Pinterest, Docker, and SpaceX really stand out. Go’s mascot is a gopher, designed by Renée French (image source) Why Was Go Created? Go started off as an experiment to design a new programming language with the goal of solving common problems with other languages in a positive and easy-to-use manner. The creators made it so the new language would include “rigorous dependency management, the adaptability of software architecture as systems grow, and robustness across the boundaries between components” (source) with the aim to have such a language that is up to date with the ever changing development environment. It was later discovered that the developers disliked C++ for its complexity and used this as motivation to create a simple and seamless new language. Major Go Frameworks: Revel Revel is a high productivity web framework for Go that includes an array of extensive high-performance features, making it convenient for Go developers as they don’t need to seek external libraries to integrate to the framework. A standout feature is Revel’s Hot Code Reload tool which allows you to rebuild your project with every file change. Beego Beego is an “open source framework to build and develop your applications in the Go way” in form of a fully developed framework, complete with its own web frameworks, logging library, and ORM. Beego includes Bee Tool, a feature which looks out for code changes and can run tasks once changes are detected. Beego is a great framework for busy developers, as it will save you many hours when it comes to launching a new project. Protocol Buffers This may not be a Go-exclusive traditional framework, but definitely worth a mention. While Protocol Buffers is Google’s language and platform neutral mechanism for serializing structured data, Go developers are known to use this mechanism to define how their data should be structured. Protocol buffers is known for its ease-of-use and simplicity. Gin Gonic If you’re familiar with Martini-like APIs, Gin Gonic is for you. Gin Gonic is a HTTP web framework written in Go (Golang), known to be a high-performance minimal framework including fundamental features and libraries. Go Security Vulnerabilities With Go’s surge in popularity, it is crucial that Go applications are designed and built with security in mind. Click here to get your copy of the Go Secure Coding Guide for a deeper dive into the world of secure development best practices in Go, along with many tips, tricks, and code examples to help ensure the security of your Go. That said, there are a couple of stand out security vulnerabilities commonly affecting apps written in Go: Cross Site Scripting (XSS) SQL Injection Securing Your Go Checkmarx’s Application Security Research Team released a secure coding guide called the Go Language – Web Application Secure Coding Practices, hosted on the Checkmarx website as a downloadable whitepaper as well as on GitHub as a living document which is continuously edited and updated by the open source community. This book’s goal is to help developers avoid common mistakes while learning a new programming language through a “hands-on approach”. This book covers “how to code security” in detail, showing the different security problems a developer may encounter. Checkmarx’s Static Code Analysis solution, CxSAST, serves as a Go testing solution to ensure your Go code is security risk-free, and seamlessly abides by legal and compliance issues. Additionally, this is the solution which will propel your organization’s progress regarding application security education for developers. CxSAST integrates with a large variety of IDEs, common development programs and tools developers are already using at every touchpoint of the SDLC. CxSAST is ideal for any CI/CD environment with its incremental code scanning and best fix location capabilities. Click here to learn more.