Go security pitfalls; 2 lessons from the battlefield at Grafana Labs - Jeremy Matos

Statically Typed Languages and Security

• Statically typed languages like Go are more secure due to their nature.
• It’s super hard to have remote code execution in a statically typed language.

Fuzzing and Security

• Fuzzing is used to test software for vulnerabilities by feeding it malicious inputs.
• It’s especially useful for testing complex or hard-to-understand code.
• Fuzzing can help identify unexpected program behavior and vulnerabilities.

Go’s Memory Management

• Go tries to be smart about memory management for arrays.
• The Go compiler reserves memory for an array, but this can lead to unexpected behavior if not carefully managed.

Slices and Sharing

• Go’s slices are references, not copies.
• This means that modifying a slice can affect the original array.
• Care must be taken when working with slices to avoid unexpected behavior.

Concurrency and Security

• Concurrency in Go can be challenging and is a common source of vulnerabilities.
• It’s essential to carefully consider concurrency when writing secure code.

Patching and Zero-Days

• Zero-day vulnerabilities are especially dangerous, as they can be exploited immediately.
• Patching is crucial to prevent exploitation of zero-day vulnerabilities.

Communication and Transparency

• Open communication and transparency are essential for building trust in software development and security.
• Fuzzing and security testing should be performed openly, and results should be shared.