Workshop: Application Security @ GopherCon Europe

Abstract

Summary

This workshop is for all gophers who not only want to build cool applications and also want to include security into them. Application security is a complex topic and can be hard to get into. Thus, we will go the first steps with you into the rabbit hole of (Go) security. Together, we start from a very simple web application, learn basic security concepts, and especially how to harden our application in an easy way against those attacks. To achieve this aim, we’ll explain shortly to you an attack to provide you with the necessary information to conduct the attack. After you have seen by yourself that your application is vulnerable, we will together fix this issue and move forward. By the end of the workshop, you will have a simple web application that is protected against basic web security attacks, like CSRF, avoid (at least one) memory safety vulnerability, and supply chain attacks.

What a student is expected to learn

Students will learn to harden a simple (web) application in Go against basic web security attacks, e.g., CSRF, circumvent the memory safety of Go, and pin their dependencies to avoid supply chain attacks. During the workshop, we will challenge every student to reflect on their code and understand the diversity and complexity of security. After the workshop, every student will be able to dig into the rabbit hole of (go) security a bit more and check their application against the presented attack vectors. A student of this workshop will not attend a security competition, like capture the flag, nor will a student have a theoretical or an in-depth/advanced introduction to any of the covered topics.

Prerequisites

Each student should have a basic understanding of the programming language Go and software development.