APPSEC OBSERVER

The latest trends and tips in DevSecOps through instrumentation and Security Observability.

Subscribe To Blog

Secure Coding with Go

All Systems Go—Except Application Security

Google Go (also known as Golang) continues its role as a popular software language that enables developers to ship quality code at a rapid pace. Its genesis can be traced back to when Google engineers set out to create an easy-to-use programming language that would eliminate the slowness and clumsiness of software development—making the process more productive and scalable. The result was a compiled solution that allows for massive multithreading, concurrency, and performance under pressure. Today, Go is the fastest growing language in terms of adoption in the market.

The 2020 Go Developer Survey shows a 92% overall satisfaction with the language. While Go is common in back-end systems and tools, both the Go survey and SmartBear (which created Swagger/OpenAPI) find that the most popular use case for Go is for development of publicly available application programming interfaces (APIs). This is because of Go’s ability to provide organizations with highly stable performant systems that scale effectively in microservice environments.

The news around Go all sounds great, until we get to the topic of security of third-party libraries and customer applications—over 70% of organizations indicate application security is in a backslide. APIs, in particular, are increasingly exploited by cyber criminals. APIs expose application logic and sensitive data such as personally identifiable information (PII), and thus have become a valuable target for attackers.

Stuck in a Manual Security Rut

With popular frameworks like Revel, Martini, and Gin Gonic, many Go developers create streamlined back-end APIs. These APIs are typically paired with different clients such as web clients or mobile applications that communicate to the back end over REST or gRPC.

As opposed to the monolithic structure common in other languages, Go applications often split themselves into microservices or sets of smaller microliths. A common difficulty of designing applications is dependence on security expertise needed to understand critical problems that require remediation—situations where the application and its logic can be abused.

With some programming languages, teams can threat-model a single application or use automated tools to detect common security issues. But the loose static typing of the Go language breaks many data-flow tools while the prominence of NoSQL databases changes what most security teams should be looking for (not SQL injection).

Static analyzers like staticcheck and gosec can be used, but the majority of these issues match quality-level checks—similar to the IntelliJ Code Inspections that are already available inside integrated development environments (IDEs). In addition to generating high rates of false positives, these sorts of legacy application scanning tools also miss unknown threats.

The Need for Integrated, Automated Security With Go

Organizations need a new approach to improve the security of Go applications. A modern and automated application security approach should target two key types of risk:

  • Open-source vulnerabilities where the application relies on an insecure library
  • Custom-code vulnerabilities where the application puts otherwise secure code together in a unique and unsafe way

Integrated analysis (also known as instrumentation) offers a new security technique for Go applications. Contrast Security is the first to offer Go instrumentation without the need to change source code. Contrast’s approach embeds sensors into the application, giving it the ability to trace data as it flows through an application and immediately detect and notify teams of vulnerabilities in real time.

Unlike static code analysis or blind analyzers that fuzz test REST/gRPC entry points, integrated analyzers work inside the application to observe what’s happening during the application runtime and identify how code is reaching insecure paths. For example, if data reaches a SQL query without validation, the sensor can determine that the path was insecure, even if no one was actively looking for security flaws.

This kind of integrated, automated application security detection makes it easier to find several types of critical issues (without requiring that a developer be fully trained in application security). This includes OWASP Top Ten security risks such as path traversal, where attackers can control their own access to different files on a file system. It also covers injection attacks (the number-one risk on the latest OWAP list), where unauthorized code is inserted into a program to manipulate databases, access file systems, or otherwise infiltrate applications.

How Instrumentation-based Security Works Within the Go Pipeline

During the build phase, developers use the Contrast Go tool in place of the Go compiler to seamlessly add instrumentation to their test pipeline. As a result, two things happen:

  • A scanner collects all direct and transitive dependencies to understand if any insecure libraries are used by the Go application. When a new CVE (Common Vulnerabilities and Exposures) is discovered in a library, now or later, this inventory immediately identifies which applications are impacted and alerts the security team.
  • The Contrast Go tool embeds interactive application security testing (IAST) sensors into the application binary which provide specialized security detection and monitoring at application runtime. This enables Contrast to evaluate the application’s security posture in real time as it runs.

Before promoting to quality assurance (QA), teams can decide if they should upgrade any dependencies to avoid known CVEs.

During the test phase, teams can deploy the Contrast security-aware binary to test environments. They can then use the application as normal, performing any relevant use cases of interest to the team. Dedicated security testing at this phase is optional because Contrast automatically detects and notifies the security team of vulnerability detections and removes the guesswork. Teams can then prioritize any security issues found.

Currently, Contrast Go only includes IAST sensors for evaluating code in the build and test phases. In line with the full software development life cycle (SDLC) nature of the Contrast Application Security Platform, future Contrast Go capabilities will include runtime application protection and observability to protect Go applications in production as well.

Contrast Takes Go Further With Modern Application Security

Teams looking to improve the security of their Go applications can now use the industry’s first interactive application security analyzer for the Go language. The addition of the Contrast Go agent to the Contrast Application Security Platform provides an automated method of detecting security vulnerabilities in Go code. Contrast Go embeds sensors into the application’s binary, enabling Contrast to monitor and quickly identify security vulnerabilities. No dedicated security tests are needed; the Contrast agent embedded in the application performs a direct assessment of the application at runtime.

This release is particularly important for organizations seeking to secure APIs. The Contrast Go agent performs composition analysis to locate known vulnerabilities in third-party libraries while employing integrated analysis that analyzes API runtime to detect unknown vulnerabilities. If a new, previously unknown vulnerability is discovered, the Contrast DevSecOps Control Center shows which applications are affected as soon as the vulnerability is discovered.

For Go applications, a better security alternative has not existed until now. The Contrast Go agent detects only those vulnerabilities that matter while making it simple and fast for developers to remediate issues on their own. Through integration and automation, Contrast gives security teams much better accuracy and greater speed than legacy application security tools.

For more information on the new Go support in the Contrast Application Security Platform, check out the podcast: “Modern Application Security Now Available for Golang Applications.”

 

 

Erik Costlow, Director of Developer Relations

Erik Costlow, Director of Developer Relations

Erik Costlow was Oracle’s principal product manager for Java 8 and 9, focused on security and performance. His security expertise involves threat modeling, code analysis, and instrumentation of security sensors. He is working to broaden this approach to security with Contrast Security. Before becoming involved in technology, Erik was a circus performer who juggled fire on a three-wheel vertical unicycle.

SUBSCRIBE TO THE BLOG