Question about Security Scanners

xuanbao · · 560 次点击    
这是一个分享于 的资源,其中的信息可能已经有所发展或是发生改变。
<p>Hello Gophers!</p> <p>I have been using Go for some side projects since pre 1.0 days, and love the language. I have finally been able to use it full time for backend (React on the front end) professionally, and happy to do so. However, I had a question about some security tools.</p> <p>Given the Equifax breach, I am sure security is on the forefront of all of our minds. I wanted to see if any of our repos have potentially vulnerable dependencies. We updated all of our repos to Go 1.9 and we use Glide for our vendor management. </p> <p>Are there any tools, preferably free, that will scan the dependencies we have for vulnerabilities? We use Chi for our router, and some third party libraries, so we are pretty lean, but I would love to see if there was a tool similar to NSP in the Node ecosystem. My Google skills did not come up with anything; maybe it&#39;s not needed? I know scans won&#39;t find everything, but anything would be a helpful start.</p> <p>Thanks!</p> <hr/>**评论:**<br/><br/>NeedsMoreTests: <pre><p>FYI, the Equifax breach was due to far more than just a vulnerability: <a href="http://spuz.me/blog/zine/3Qu1F4x.html" rel="nofollow">http://spuz.me/blog/zine/3Qu1F4x.html</a></p> <p><a href="/r/AskNetsec" rel="nofollow">/r/AskNetsec</a> might be a better place to ask this question however as some general guidance:</p> <ul> <li>Make fuzzing a regular part of your testing.</li> <li>Never <em>ever</em> trust user input.</li> <li>Use gometalinter to spot problems like variable shadowing, unused variables, general bad practices, etc. By far most vulnerabilities are the result of bugs rather than a true application vulnerability.</li> <li>Never assume your code is secure so do the right things at the system level: use strict selinux policies, run as a user with no privileges, isolate resources from each other, etc.</li> <li>Always run the latest version of Go to get the latest security updates.</li> <li>Don&#39;t store secrets in your application.</li> </ul> <p>You&#39;ll probably find a lot more answers if you look for an &#34;application security scanner&#34;. There are a lot of language specific scanners but I&#39;ll be honest and say that because of the way Go is designed and the lack of popularity compared to something like Python, C or Java you&#39;re unlikely to find a wide set of tools specific to the language.</p></pre>losingthefight: <pre><p>Thank you for the response! Yes, I am aware of the many, MANY issues with Equifax. The Struts vulnerability was but a small part of what seemed to be a culture of lax security (the Argentina web portal, etc). But, with the breach being so massive, it has spurred, at least in my neck of the woods, increased emphasis on security built into our Sprints. We use a wide variety of tools to test security implications, such as user input in our integration tests, but I was mostly interested in something that could find vulnerabilities we may not be aware of in our repositories. I had used things like FindBugs and PMD for Java apps, and the built in linter and compiler is great, but I was curious if there were other tools.</p> <p>Thanks for the feedback though!</p></pre>dominikh: <pre><p>SourceClear recently announced Go support. Said support amounts to flagging outdated dependencies that have known vulnerabilities.</p> <p><a href="https://www.sourceclear.com/blog/Announcing-Go-Language-Support/" rel="nofollow">https://www.sourceclear.com/blog/Announcing-Go-Language-Support/</a></p></pre>dchapes: <pre><p>See <a href="https://www.reddit.com/r/golang/comments/6x0y5e/announcing_go_language_support_scan_your_go/" rel="nofollow">https://www.reddit.com/r/golang/comments/6x0y5e/announcing_go_language_support_scan_your_go/</a></p></pre>losingthefight: <pre><p>Thanks! This is right along what I was looking for. I will check it out!</p></pre>

入群交流(和以上内容无关):加入Go大咖交流群,或添加微信:liuxiaoyan-s 备注:入群;或加QQ群:692541889

560 次点击  
加入收藏 微博
暂无回复
添加一条新回复 (您需要 登录 后才能回复 没有账号 ?)
  • 请尽量让自己的回复能够对别人有帮助
  • 支持 Markdown 格式, **粗体**、~~删除线~~、`单行代码`
  • 支持 @ 本站用户;支持表情(输入 : 提示),见 Emoji cheat sheet
  • 图片支持拖拽、截图粘贴等方式上传