Go is a programming language that was developed at Google, designed with Google's approach to software development in mind. Go is used in many production systems inside Google, and has been used to build a number of popular open-source projects.
Go's goal is to make it easier to write software that is able to be built quickly and easily. This is accomplished by making the language simple and easy to use, while also making it powerful enough to complete complex tasks. However, the Go programming language is not immune to security and vulnerability. Software developers need to be careful about their code and make sure their code is safe and secure.
In this article, we will cover how to write secure code in Go and make sure your code does not have any security issues and how you can check for them.
Write safe and secure code with Go
The Go programming language is generally considered safe. By using strong type checking, Go already avoids a lot of potential issues that other programming languages have (e.g. use of pointer arithmetic in C, mixing types in Python, etc).
However, there are still some constructs that are not safe with Go. In particular, when using the unsafe package, developers can potentially introduce issues such as incorrect memory access or buffer overflow. The use of such constructs adds vulnerabilities to your program. For this reason, developers must avoid using this package and only do so after the code has been audited and evaluated to be correct and safe.
Developers must be careful when using the unsafe package to avoid erroneous memory operations. But they also must ensure that their application handles resources in a secure manner and avoid Common Weakness Enumeration and Common Vulnerabilities Exposure.
Avoiding Common Weakness Enumeration (CWE) with Go
As for any programming language, software developers need to avoid Common Weakness Enumeration (CWE). CWE issues range from incorrectly manipulating files, using insecure encryption methods, or not checking user inputs. Not fixing CWE in your Go code may expose your software to insecure and unsafe behaviors.
In Go, there are common rules to check against CWE:
- Check for insecure encryption/hash methods (such as MD5, DES)
- Avoid SQL injections due to user inputs
- Check permissions of files created
- Properly open and close file handles
- Checking for overflow
- Properly check for errors when calling a function
For example, when using the following code to create a file, permission
0644 are too permissive, letting other users and processes on the local machine read the file.
file, err := os.OpenFile("errors.generated.go", os.O_WRONLY|os.O_TRUNC|os.O_CREATE, 0644)
The appropriate permissions would then be
0600, which only gives access to the file to the user executing the program.
file, err := os.OpenFile("errors.generated.go", os.O_WRONLY|os.O_TRUNC|os.O_CREATE, 0600)
Avoid and Fix vulnerabilities in the Go programming language
To avoid security and vulnerabilities, you need to make sure insecure and unsafe coding patterns are not used. There are some great tools to analyze Go code:
- Gosec: analyzes your Go code and detects potential CWE.
- Staticcheck: analyzes your Go code, and looks for potential safety issues such as infinite recursion.
You can integrate these tools in your CI/CD pipeline to automate the detection of vulnerabilities in each pull request (gosec has instructions to do so). However, it does not give you a full audit of your existing source code. And manually integrating these tools require you to maintain these integrations and make sure you are constantly up to date with the latest versions.
To ensure you always use the latest state-of-the-art tools, the best is to use a code analysis platform such as Codiga that scans your code at every push and pull request. Codiga gives you an overview of all vulnerabilities in your Go code and highlights all security issues.
Codiga not only flags security issues and CWE in your code at each pull or push request within seconds. It also provides links to fix these issues before the code is merged into production.
If you are a Go developer working alone on a side project or part of a large team using Go every day to deliver critical services, you can start using Codiga for free to audit your source code and avoid vulnerabilities in production.