Security assessment techniques for Go projects
- Static analysis tools like gosec, go-vet, and staticcheck can help catch low hanging fruits not included in compiler errors & warnings.
- Dynamic analysis techniques like fuzzing, property testing & fault injection should be used for deeper results.
- Dynamic testing tools like dvyukov/go-fuzz let you quickly & effectively implement mutational fuzzing.
- google/gofuzz can help by initializing structures with random value.
- For property testing, the leanovate/gopter framework addresses the shortcomings of other testers.
- The build directives of the compiler can be used to perform name linking, and avoid renaming while getting testable access to desired functions.
Full post here, 15 mins read