Wikimedia Security Team/Golang Symposium May 2019

Date/time: May 29th, 2019 - 5:00 PM UTC

Attending: Scott, Brooke, Dan, Lars, Brian, David, James

Agenda:

  1. Basic thoughts/impressions on Golang as a development language, experiences, any known security issues/concerns.
  2. Current and future Golang Wikimedia projects (blubber, kask, anything else on the horizon?)
  3. Discussion of best practices (specifically security best practices) for Golang development. I'd like to frame this around the OWASP Top 10 for now, but of course discussing any real-world examples people have come across would also be extremely helpful.

Supplemental:

Minutes:

Brooke

  • Golang gives a lot of room to harm yourself
  • Package management - vendor all dependencies
  • github, other repos - can look for problems/issues, potential vulnerabilities for 3rd party code
  • DeSer w/ JSON - serialize into struct w/ defined types
  • Error suppression: intentionally lazy about throwing away errors, should panic in most cases
  • Can cause leaks in channels if not careful

Lars

  • Vendoring: checks should happen during CI, etc. in an automated/scheduled fashion
  • Do not merge or deploy code to production that fails vulnerability checks?

Brian

  • Worried about current issues with vulnerable package detection
  • Only good if there are code owners/stewards and issues can be dealth with in a timely fashion

Dan

David (after meeting)

  • Golang required versions? Based upon CVE reporting.

Action Items: