Which are your best tools for testing Go web apps for security issues?

<p>I am new to security. I&#39;ve written a web application in Go that has protections against common attacks like CSRF and SQL injection. But I would like to know how secure it actually is and discover any other security issues it might have.</p> <p>Which are your best Go specific or other tools for that?</p> <hr/>**评论：**<br/><br/>colezlaw: <pre><p>On the dynamic side, a webapp in Go is going to look no different than an app written in any other language, except that it also provides HTTP/2 out of the box. HTTP/2 is no different from HTTP/1 when you&#39;re looking at vulnerabilities in the application, but if you were going to do protocol fuzzing then there would need to be that.</p> <p>On the static side, I&#39;m not aware of any static analyzers (yet) for Go that have a really strong set of defensive programming rules. However, the lexer and parser are available as API&#39;s so writing a static analyzer specifically for defensive programming type of things would just be a matter of understanding what API&#39;s need to be modeled, what incorrect or unsafe things look like, and what safe usages of those look like. Doing proper dataflow analysis and taint propagation, however, would take a lot more time.</p></pre>