Wikimedia Security Team/Golang Symposium May 2019
Date/time: May 29th, 2019 - 5:00 PM UTC
Attending: Scott, Brooke, Dan, Lars, Brian, David, James
Agenda:
- Basic thoughts/impressions on Golang as a development language, experiences, any known security issues/concerns.
- Current and future Golang Wikimedia projects (blubber, kask, anything else on the horizon?)
- Discussion of best practices (specifically security best practices) for Golang development. I'd like to frame this around the OWASP Top 10 for now, but of course discussing any real-world examples people have come across would also be extremely helpful.
Supplemental:
- Security with Go (book)
- Blubber (wmf golang project)
- Kask (wmf golang project, security review)
Minutes:
Brooke
- Golang gives a lot of room to harm yourself
- Package management - vendor all dependencies
- github, other repos - can look for problems/issues, potential vulnerabilities for 3rd party code
- DeSer w/ JSON - serialize into struct w/ defined types
- Error suppression: intentionally lazy about throwing away errors, should panic in most cases
- Can cause leaks in channels if not careful
Lars
- Vendoring: checks should happen during CI, etc. in an automated/scheduled fashion
- Do not merge or deploy code to production that fails vulnerability checks?
Brian
- Worried about current issues with vulnerable package detection
- Only good if there are code owners/stewards and issues can be dealth with in a timely fashion
Dan
- Would be nice to have more automation, gate-and-submit, post-merge, also scheduled, query kubernetes pods, etc.
- RelEng - blubberoid micro-service, send yaml, variant is output
- SIG, quarterly meeting? List of reviewers?
- go-lint, go-vet (call out to both, https://gerrit.wikimedia.org/r/plugins/gitiles/blubber/+/master/Makefile)
David (after meeting)
- Golang required versions? Based upon CVE reporting.
Action Items:
- Scott - draft basic golang security best practices from resources and discussion here
- Scott - schedule golang SIG, assess interest