26 Nov, 2014

Developing Secure Applications with Golang

by Cyrus Malekpour

One topic that should come up more often (but doesn’t) when considering new languages and frameworks is how secure they can be out of the box. Developers often consider things like performance, ease of use, and compatibility before starting a software project with a new framework. However, out-of-the-box security is an important feature to consider as well. It’s easy to overlook how some of the default settings can leave holes open, especially for new developers, so framework authors should focus on making these as secure as possible right from the beginning.

Image from golang.org

Go is one such new language that has been rising in popularity over the last few years. Originally developed by a team at Google for their own external-facing services, Go is a statically typed opinionated language with fast compilation, easy concurrency, and garbage collection. Go now powers a variety of services at well-known companies like Microsoft, GitHub, Cloudflare, Heroku, and more. It’s also at the heart of open source tools like Docker, which we’ve written about previously.

Go is opinionated, meaning it tries to steer developers into writing code in the same way. Combined with some of the below language features, Go code ends up being rather safe from the get-go:

  • All variables and libraries must be used
  • Go strongly encourages memory safety
  • Function return values must be addressed (meaning all errors must be handled!)
  • Strings are UTF-8

Together, these features help you avoid some encoding attacks and enforce good development practices.

It’s becoming increasingly common to use Go for web apps. Goroutines, essentially lightweight threading built into the language, makes it easy to accept requests as they come in without callback hell. Go’s standard library comes with a fast HTTP server with routing in the form of net/http. Though basic, it provides the necessary set of tools to create secure web software.

Because of its small feature set, it’s pretty secure out of the box. However, being hands-off means it’s easy to repeat old mistakes. How will you store your sessions? How should you properly validate form input? Will you develop your own authentication and/or authorization? These questions are easy to trip over when developing an application. To avoid reinventing the wheel, use the Gorilla web toolkit.

Image from www.gorillatoolkit.org

Rather than a fully-fledged framework, Gorilla is a set of useful libraries for webapps, all of which can be used independently. I recommend using the session and schema libraries. Gorilla’s ‘session’ helps handle storing your cookies on the server as well as just passing unique tokens. It also comes with a great number of backends! With the ‘schema’ library, you get to read in your forms as a struct, which lets you do easy validation on what is and isn’t included in the request. Additionally, the  securecookie library can be useful if the session doesn’t need to be kept private and can be read by the end user.

Looking for a more inclusive framework? You can find solid MVC ones in the form of beego and Revel. Though not as fully featured as Rails or Django, the modularity of both frameworks allows you to integrate in any missing features. Both rely on the built-in security of the Go language and augment it with better routing and MVC-style request handling.

Last but not least, Go itself provides some useful tooling that might help you uncover some problems. “Go fix” helps you update your source code with any changes made in the language or libraries as the language evolves. “Go vet” uses heuristics to figure out problematic code structures and point them out to you. Both of these are bundled with the main compiler and are invaluable for checking your own software.

As usual, any app is only as secure as its weakest link. In Go’s case, that link is likely to be in the layout of the app itself. The language provides powerful protection against a lot of the OWASP Top 10, but it is up to developers to create secure applications that utilize all best practices.