<p>Hello Gophers!</p>
<p>I have been using Go for some side projects since pre 1.0 days, and love the language. I have finally been able to use it full time for backend (React on the front end) professionally, and happy to do so. However, I had a question about some security tools.</p>
<p>Given the Equifax breach, I am sure security is on the forefront of all of our minds. I wanted to see if any of our repos have potentially vulnerable dependencies. We updated all of our repos to Go 1.9 and we use Glide for our vendor management. </p>
<p>Are there any tools, preferably free, that will scan the dependencies we have for vulnerabilities? We use Chi for our router, and some third party libraries, so we are pretty lean, but I would love to see if there was a tool similar to NSP in the Node ecosystem. My Google skills did not come up with anything; maybe it's not needed? I know scans won't find everything, but anything would be a helpful start.</p>
<p>Thanks!</p>
<hr/>**评论:**<br/><br/>NeedsMoreTests: <pre><p>FYI, the Equifax breach was due to far more than just a vulnerability: <a href="http://spuz.me/blog/zine/3Qu1F4x.html" rel="nofollow">http://spuz.me/blog/zine/3Qu1F4x.html</a></p>
<p><a href="/r/AskNetsec" rel="nofollow">/r/AskNetsec</a> might be a better place to ask this question however as some general guidance:</p>
<ul>
<li>Make fuzzing a regular part of your testing.</li>
<li>Never <em>ever</em> trust user input.</li>
<li>Use gometalinter to spot problems like variable shadowing, unused variables, general bad practices, etc. By far most vulnerabilities are the result of bugs rather than a true application vulnerability.</li>
<li>Never assume your code is secure so do the right things at the system level: use strict selinux policies, run as a user with no privileges, isolate resources from each other, etc.</li>
<li>Always run the latest version of Go to get the latest security updates.</li>
<li>Don't store secrets in your application.</li>
</ul>
<p>You'll probably find a lot more answers if you look for an "application security scanner". There are a lot of language specific scanners but I'll be honest and say that because of the way Go is designed and the lack of popularity compared to something like Python, C or Java you're unlikely to find a wide set of tools specific to the language.</p></pre>losingthefight: <pre><p>Thank you for the response! Yes, I am aware of the many, MANY issues with Equifax. The Struts vulnerability was but a small part of what seemed to be a culture of lax security (the Argentina web portal, etc). But, with the breach being so massive, it has spurred, at least in my neck of the woods, increased emphasis on security built into our Sprints. We use a wide variety of tools to test security implications, such as user input in our integration tests, but I was mostly interested in something that could find vulnerabilities we may not be aware of in our repositories. I had used things like FindBugs and PMD for Java apps, and the built in linter and compiler is great, but I was curious if there were other tools.</p>
<p>Thanks for the feedback though!</p></pre>dominikh: <pre><p>SourceClear recently announced Go support. Said support amounts to flagging outdated dependencies that have known vulnerabilities.</p>
<p><a href="https://www.sourceclear.com/blog/Announcing-Go-Language-Support/" rel="nofollow">https://www.sourceclear.com/blog/Announcing-Go-Language-Support/</a></p></pre>dchapes: <pre><p>See <a href="https://www.reddit.com/r/golang/comments/6x0y5e/announcing_go_language_support_scan_your_go/" rel="nofollow">https://www.reddit.com/r/golang/comments/6x0y5e/announcing_go_language_support_scan_your_go/</a></p></pre>losingthefight: <pre><p>Thanks! This is right along what I was looking for. I will check it out!</p></pre>
