Which are your best tools for testing Go web apps for security issues?

polaris · · 454 次点击    
这是一个分享于 的资源,其中的信息可能已经有所发展或是发生改变。
<p>I am new to security. I&#39;ve written a web application in Go that has protections against common attacks like CSRF and SQL injection. But I would like to know how secure it actually is and discover any other security issues it might have.</p> <p>Which are your best Go specific or other tools for that?</p> <hr/>**评论:**<br/><br/>colezlaw: <pre><p>On the dynamic side, a webapp in Go is going to look no different than an app written in any other language, except that it also provides HTTP/2 out of the box. HTTP/2 is no different from HTTP/1 when you&#39;re looking at vulnerabilities in the application, but if you were going to do protocol fuzzing then there would need to be that.</p> <p>On the static side, I&#39;m not aware of any static analyzers (yet) for Go that have a really strong set of defensive programming rules. However, the lexer and parser are available as API&#39;s so writing a static analyzer specifically for defensive programming type of things would just be a matter of understanding what API&#39;s need to be modeled, what incorrect or unsafe things look like, and what safe usages of those look like. Doing proper dataflow analysis and taint propagation, however, would take a lot more time.</p></pre>

入群交流(和以上内容无关):加入Go大咖交流群,或添加微信:liuxiaoyan-s 备注:入群;或加QQ群:692541889

454 次点击  
加入收藏 微博
0 回复
暂无回复
添加一条新回复 (您需要 登录 后才能回复 没有账号 ?)
  • 请尽量让自己的回复能够对别人有帮助
  • 支持 Markdown 格式, **粗体**、~~删除线~~、`单行代码`
  • 支持 @ 本站用户;支持表情(输入 : 提示),见 Emoji cheat sheet
  • 图片支持拖拽、截图粘贴等方式上传