Security in Go

Why Go became the language of security tooling — static binaries that drop anywhere, cheap concurrency for scanners, and a crypto/net standard library that covers most of what a tool needs.

The rules of the game — authorization and scope, threat modeling, defense in depth, assume-breach thinking, and responsible disclosure. The line between a professional and a criminal is permission.

The anatomy of a Go security tool — static cross-compiled builds, stripped binaries, embedded assets, and a concurrent worker-pool skeleton with rate limiting and structured logging you can reuse for any scanner.

How a TCP connect scanner works and why Go is ideal for it — a bounded concurrent scanner, banner grabbing for service detection, and the defenses (rate limits, detection, least exposure) that stop it.

Turning open ports into a picture of a network — service and version detection, OS fingerprinting, banner analysis, and assembling a recon report — plus the defenses that reveal less.

Mapping a target's attack surface through DNS — record types and lookups, concurrent subdomain brute-forcing, zone transfers as a misconfiguration, and the defenses that limit what DNS reveals.

Profiling web targets in Go — a custom HTTP client, fingerprinting tech from headers, content and path discovery, and the response-hardening defenses (security headers, generic errors, rate limits) that blunt it.

Finding crashes and vulnerabilities by feeding malformed input — a runnable mutation fuzzer that discovers a parser bug, Go's built-in coverage-guided fuzzing, and why fuzzing your own code is the best defense.

Reading the wire — parsing IP/TCP headers from raw bytes by hand, live capture with gopacket, and using packet analysis defensively for intrusion detection and anomaly monitoring.

Storing secrets the right way — hashing vs encryption vs encoding, why fast hashes are wrong for passwords, salts, and the slow KDFs (bcrypt, scrypt, argon2id) that actually protect credentials.

Keeping data confidential with one shared key — why you reach for authenticated encryption (AES-GCM), the absolute rule of nonce uniqueness, and the broken modes (ECB) you must never use.

How strangers establish trust on the internet — the TLS handshake, certificates and the chain of trust, certificate transparency, and mutual TLS — with runnable Go cert generation and verification.

How good algorithms get broken by bad usage — dictionary attacks on fast hashes, ECB pattern leakage, nonce reuse, hardcoded keys, weak randomness, and timing side-channels — and how to avoid each.

The industry's reference list of the most critical web app security risks — what each category means, how it shows up in Go, and the defensive habit that neutralizes it.

The bug class behind most breaches — why injection happens (mixing data with code), and the structural fixes: parameterized queries, html/template auto-escaping, allowlist validation, and safe path handling.

Server-Side Request Forgery and its cousin CSRF — how an attacker turns your server (or your user's browser) into a confused deputy, and the allowlist / token defenses in Go.

Proving who you are and deciding what you may do — sessions vs tokens, secure token generation and constant-time checks, password verification, and least-privilege authorization (RBAC).

Delegated authorization (OAuth2) vs authentication (OIDC) — the Authorization Code + PKCE flow, access vs ID tokens, and the mistakes that turn 'sign in with…' into account takeover.

Keeping API keys, passwords, and signing keys out of your code, repo, logs, and binary — config from the environment, secret managers, redaction, and rotation.

Turning a working Go server into a hardened one — timeouts and body limits against resource exhaustion, security headers, panic-recovery and rate-limiting middleware, and graceful shutdown.

Shipping a Go binary in a container that's small and hard to attack — minimal/distrolesse base images, non-root, pinned-by-digest, scanned, and the content-addressing that makes 'pinning' real.

Securing everything your code depends on — module integrity via go.sum and the checksum database, govulncheck for known CVEs, minimizing dependencies, pinning, and defending against typosquatting and build-time attacks.