Security assessment techniques for Go projects

  • Static analysis tools like gosec, go-vet, and staticcheck can help catch low hanging fruits not included in compiler errors & warnings.
  • Dynamic analysis techniques like fuzzing, property testing & fault injection should be used for deeper results.
  • Dynamic testing tools like dvyukov/go-fuzz let you quickly & effectively implement mutational fuzzing.
  • google/gofuzz can help by initializing structures with random value.
  • For property testing, the leanovate/gopter framework addresses the shortcomings of other testers.
  • The build directives of the compiler can be used to perform name linking, and avoid renaming while getting testable access to desired functions.

Full post here, 15 mins read