The Attack You Invited • The Applied Go Weekly Newsletter 2025-04-27
Your weekly source of Go news, tips, and projects
The Attack You Invited
Hi ,
Untested code should be generally regarded as insecure, and the absence of *_test.go files in a repository or integration and end-to-end tests in a project are a clear warning signal. The opposite isn't true: The existence of tests does not prove that code is secure. To write code that is resistant to attacks, you'd need to know about existing attack vectors and how to build defenses against them into your code. Failing to do so is an unnecessary invitation for attackers. Because of this, this week's Spotlight is dedicated to writing secure Go code.
Keep calm and write secure code!
– Christoph
Featured articles
Differential Coverage for Debugging
Forget git bisect, here's differential debugging! Russ Cox rediscovered a technique for narrowing down the cause of a failing test quickly, by generating coverage profiles for the failing and succeeding tests and comparing the two.
Preventing accidental struct copies in Go
A crucial requirement for a sync.WaitGroup is that it must never be copied. However, pass-by-value is the standard way of parameter passing in Go. sync.WaitGroup uses a trick to make go vet flag unintended copying.
Finally a practical solution for undefined fields
Undefined values in JSON data and Go's static typing (plus the use of zero values) don't go well together. The omitzero tag and a few lines of code solve the problem
Podcast corner
Cup o' Go: Tests just keep getting better, and so do the imaginary internet points!
Jonathan and Shay share the news of the week about conferences, proposals, articles, and new or updated Go apps and libraries.
Fallthrough: From TinyGo to Takeoff
Fallthrough goes tiny: Patricio Whittingslow talks to Dylan and Angelica about TinyGo, the Go compiler for small places.
Spotlight: Security: The Habits That Matter Most
I confess: When writing code, my mind focuses on functionality, clarity, maintainability, and correctness. However, code that is "correct" (as in: working according to the specification) isn't necessarily secure. There are many aspects of security that don't come automatically through the absence of bugs (where "bug" is defined as "not working as specified"). Security measures need to be intentionally added to the code and to the development process (in form of tools, steps, and conventions).
What are practical steps to take? Focus on three aspects: (1) applying security measures to the code, (2) making use of tools and services, and (3) taking care of supply chain security.
Vulnerabilities are like the mythological nine-headed Hydra: For every head chopped off, the Hydra would regrow two heads. Here is a nine-fold countermeasure—three lists, each containing three security measures.
List 1: Top 3 Security Measures to Add to Code
- Input Validation & Sanitization
User input is usually harmless until it isn't.
- Validate and sanitize user inputs to prevent injection attacks (SQL injection, XSS, etc.)
- Use Go’s html/template (rather than text/template) package for HTML templating, to automatically escape HTML characters
- Secure Authentication & Authorization
Authentication and authorization are popular targets for attackers, so the most important option here, especially if you're inexperienced, is to reach out to tested-and-proven libraries and services to handle user management and resource access.
I have no particular recommendation, but the open source projects ZITADEL and Ory Kratos seem to be popular and beginners-friendly.
- Concurrency Safety
Concurrent code has many more moving parts compared to equivalent serial code. Attackers can, for example, exploit data races or goroutine leaks to run Denial-of-Service (DoS) attacks.
- Use Go’s race detector (go test -race) to identify race conditions. Attackers could exploit some forms of race conditions to manipulate data
- Eliminate Time-of-Check-to-Time-of-Use (TOCTOU) races where an attacker can exploit the gap between validation of a conditional access and the actual access of data.
List 2: Top 3 Security Tools for Go Development
- Static Analysis Tools
Static code analysis can reveal quite a few security-related problems. At a minimum, use these two tools:
- govulncheck: Scans for vulnerabilities in dependencies and binaries - gosec: Detects insecure code patterns (such as weak RNG or TLS misconfigurations). Also available as a linter; see the following list item.
- Linters
Linters check code quality based on a wide range of (objective and subjective) criteria, including security.
Using the meta-linter golangci-lint is probably a no-brainer among gophers already, but ensure that security-releated linters are actually enabled in your environments. The staticcheck and gosec linters are a good start.
- Fuzz Testing
Hand-written unit tests can unintentionally omit rare but critical edge cases that attackers can exploit.
Fuzz testing auto-generates input to uncover such edge-case vulnerabilities that static test cases might have missed.
List 3: Top 3 Measures for Supply Chain Security in Go
- Dependency Management
Go's module management is conservative about module updates, which is a great plus for security. The Minimum Version Selection algorithm picks the most minimal version possible of a module. Updates to newer versions only happen through human intervention, such as updating dependencies (via go get -u), optimally only after reviewing and testing newer versions of a module.
- Immutable Proxies & Checksums
The Go module proxy not only accelerates module downloads but also ensures that a given version of a module, after being published and downloaded for the first time, cannot be tampered with. It is enabled by default, but for specific requirements, check the documentation to learn how to disable the proxy for company-internal module servers or run your own, private module proxy.
- Minimalism & Isolation
Go fosters minimalist development and deployment in many ways, compiling to a single, static binary being one of them. To further reduce dependencies, consider using sandboxes such as containers or unikernels. The latter offer much higher security than containers do by default, as they bake a single Go executable and a virtual OS layer into a highly isolated micro-VM. Take a look at gokrazy for appliances or Unikraft (note the "k") for unikernel VMs that can replace a container setup.
This list of lists is only the tip of the iceberg, though. It's meant for getting a foot in the door, but frankly, that door is heavy, and to swing it fully open, you have to dig much deeper.
Here are a few resources to get started:
- The OWASP Go Secure Coding Practices Guide: This eBook is the Go version of a secure coding practice reference guide by the Open Worldwide Application Security Project (OWASP). It covers security measures from input validation to cryptographic practices. A must-read.
- Golang Security Best Practices by Ahmad Sadeddin: This long blog post covers many of the topics from the OWASP guide in a concise format—best for getting a first overview of what's necessary to put up the shields.
- Supply Chain Security with Go by Michael Stapelberg: A talk held at the 22nd "Gulaschprogrammiernacht" ("goulash programming night"). Current Go versions have strong support for supply chain security, where the term supply chain includes the Go toolchain itself, 3rd-party modules, and your code.
- Writing Secure Go Code by Jakub Jarosz: A quick-start guide to using security tools. If you feel you have no time for reading the eBook or the long articles above, start here.
- Securing Credentials in Golang With Systemd: Where to securely store credentials and other secrets in a mininal setup? Instead of using standard solutions like Vault or etcd, Stephan Schmidt suggests to use what's already there (on a typical Linux system): The system and service manager
systemd.
Quote of the Week: Nothing worse
Nothing worse than jumping through 5 abstract abstract wrapper wrappers before you find code that does something.
If you never had the joy of learning and using an OOP language, you probably have no idea what this quote is trying to say. You lucky bastard! (Quoting Monty Python)
More articles, videos, talks
Golang Security Best Practices | Security Articles
Security should not be an afterthought. A long list of how-tos (with code examples) for securing your code.
(Also listed in the Spotlight section)
Layered Design in Go - iRi
With a large section about resolving circular dependencies.
Optimizing Heap Allocations in Golang: A Case Study
An intro to escape analysis.
Where and why should you use iterators in Go?
Interesting use cases for functional iterators.
15 Reasons I Love Go · Applied Go
My love letter to Go that I linked to in the previous issue's Spotlight.
Cheating the Reaper in Go · mcyoung
While the Arena experiment was canceled and memory regions are still under discussion, here is how to build your own memory arenas.
How to use the new "tool" directive - YouTube
With the new tools directive, go.mod can manage tools dependencies alongside module dependencies. Alex Pliutau gives a video introduction.
Projects
Libraries
GitHub - kenshaw/blocked: Package blocked provides unicode block encoding for bitmaps or other data
If you need to visualize bitmaps in a terminal or in other text-only output, package blocked turns your bits into Unicode blocks, with the option of using full blocks, halves, sextants, octants, or braille. (Requirement: a Unicode font that includes the relevant code points)
GitHub - devasherr/Nexom: A strictly-ordered SQL query builder for Go that enforces proper query precedence through type-safe method chaining. Supports any database/sql driver (MySQL, PostgreSQL, SQLite).
If you don't like ORMs, create your own. Nexom is a lightweight query builder that enforces proper query precedence through type-safe method chaining (to quote the author).
Introducing Bappa: A Flexible ECS Game Framework in Go - YouTube
Take a bit of Ebitengine, a pinch of LDtk level editor integration, some homegrown code, and the author's dog's name, et voilà: 2D game framework!
Tip: The examples are interactive (WebAssembly) (except for one video example)
Tools and applications
GitHub - ccbrown/cloud-snitch: Easy-to-use map visualization for AWS activity, inspired by Little Snitch for macOS.
So your AWS deployment complexity becomes overwhelming? Cloud Snitch removes the fog with a birds-eye visualization of your AWS infrastructure.
GitHub - magistraapta/e-comm-microservices
A PoC microservice project featuring a gateway and product, order, and auth services that communicate via gRPC.
GitHub - AdamShannag/hookah: webhooks router
Typically, webhooks involve a sender and a receiver. For more complex scenarios, this webhook router can forward webhooks based on rules.
GitHub - stroiman/gotest.nvim: Automatically run go test on save.
NeoVimmers, if neotest doesn't work for you, try gotest.nvim.
Completely unrelated to Go
Learning Software Skills fast: what worked for us best in the last 15 years
Dirty little secrets: The Three Dots Labs founders (makers of Watermill and the Wild Workouts series) share their learnings from 15 years of learning.
What I'd do as a College Freshman in 2025
"Being supported by AI tools is not a substitute for mastery. You can’t borrow skills. You have to earn them."
👆This.
Happy coding! ʕ◔ϖ◔ʔ
Questions or feedback? Drop me a line. I'd love to hear from you.
Best from Munich, Christoph
Not a subscriber yet?
If you read this newsletter issue online, or if someone forwarded the newsletter to you, subscribe for regular updates to get every new issue earlier than the online version, and more reliable than an occasional forwarding.
Find the subscription form at the end of this page.
How I can help
If you're looking for more useful content around Go, here are some ways I can help you become a better Gopher (or a Gopher at all):
On AppliedGo.net, I blog about Go projects, algorithms and data structures in Go, and other fun stuff.
Or visit the AppliedGo.com blog and learn about language specifics, Go updates, and programming-related stuff.
My AppliedGo YouTube channel hosts quick tip and crash course videos that help you get more productive and creative with Go.
Enroll in my Go course for developers that stands out for its intense use of animated graphics for explaining abstract concepts in an intuitive way. Numerous short and concise lectures allow you to schedule your learning flow as you like.
Christoph Berger IT Products and Services
Dachauer Straße 29
Bergkirchen
Germany