Securing modern web applications while ensuring seamless deployment and continous integration is critical. I’ve been leveraging Golang’s capabilities for a while now to build secure and scalable solutions. Go is known for its simplicity, efficiency and but also for strong support for cross-platform compatibility.

By combining DevOps best practices and cybersecurity you’ll get DevSecOps, which offers a unique approach to securing applications throughout the entire development lifecycle: From deployment strategies to monitoring and maintenance.

Why Go?

Apart from personal preferences I think Go is a fantastatic choice for cloud-based applications and running critical components in a cloud infrastructure.

• Cross-Platform Compatibility
  • Write Once, Run Anywhere (WORA): Golang allows you to write code that runs seamlessly across different platforms without modification.
  • Unified Codebase: This ensures consistent application behavior and security practices on Linux, Windows, macOS, and other cloud environments.
• Cloud-Native Tools and Ecosystem
  • Kubernetes Integration: Golang is the primary language for Kubernetes, making it easier to build and deploy applications that run on Kubernetes.
  • Docker Compatibility: Go binaries are statically linked by default, which makes them easy to containerize using Docker.
• Robust Standard Library
  • Rich Set of Packages: The standard library includes a wide range of packages for networking, concurrency, HTTP servers, testing… reducing the need for third-party dependencies.
  • Built-in Security Features: Many packages in the Go standard library are designed with security best practices in mind.
• Microservices Architecture
  • Service-Oriented Design: Golang’s simplicity and performance make it ideal for building microservices that can communicate efficiently over HTTP or other protocols.
  • Lightweight Services: Golang’s ability to create lightweight services makes it suitable for creating large-scale distributed systems.
• Community and Support
  • Large Community: Golang has a large and active community that contributes to its ecosystem with libraries, tools, and best practices.
  • Regular Updates: Go’s regular updates ensure that the language stays up-to-date with modern software development trends and security practices.

Why Go for DevSecOps?

DevSecOps stands for Development Security Operations and represents an approach that integrates Security best practices into the entire software development lifecycle (SDLC). This allows Security to be a fundamental aspect of each stage of development, from planning through deployment. Some key aspects include:

• Continuous Security
  • Security measures are embedded in all phases of the development cycle, including requirements gathering, design, coding, testing, and deployment.
• Shift Left Security
  • This principle emphasizes integrating Security practices earlier in the development process rather than later, which can reduce costs and improve overall software quality by catching issues early.
• Collaboration
  • Developers, security experts, operations teams, and business stakeholders work together throughout the project lifecycle to address security concerns early and consistently.
• Continuous Feedback
  • Quick feedback on security vulnerabilities is provided to development teams so that they can quickly remediate issues before the application goes live.

Golang’s combination of simplicity, robust concurrency support, built-in tools for static analysis and ease of integration into CI/CD pipelines makes it a perfect choice for DevSecOps projects. Its capabilites allow you to develop secure, efficient and scalable applications that align well with modern development best practices.

Projects and examples

• DevSecOps
  • security-monitoring-aws: This project integrates AWS CloudTrail and EventBridge for security monitoring using Lambda functions
  • access-key-rotator: Automates the secure rotation of AWS IAM access keys and stores them in GitHub secrets
  • aws-custom-resource-golang: Custom AWS CloudFormation resources for security automation written in Go
• Security
  • heureka: A comprehensive Security Posture Management tool that manages, tracks, and remediates security issues (vulnerabilities, misconfigurations, policy violations) in cloud environments with a focus on compliance and auditability
• Web & Content Management
  • gocial: Social authentication and interactions using Go for secure web applications
  • widdly: TiddlyWiki server with DynamoDB support and serverless deployment capabilities
  • tw5-cli: Command-line tool for TiddlyWiki 5, streamlining wiki management tasks

References

• 👉 GitHub: https://github.com/dorneanu
• 👉 DevSecOps / Golang: https://defersec.com
• 👉 Blog posts: https://blog.dornea.nu/tags/golang/