This document discusses security of Go modules and vulnerability scanning in GoCenter and VSCode. It provides an overview of dependency management in Go with modules and checksum databases, how hashes are used to ensure integrity and detect changes. It demonstrates how GoCenter caches modules and versions, provides vulnerability information and scans dependencies. It shows building a basic Go web app in VSCode and using the JFrog extension for security alerts during development.
Security of go modules and vulnerability scanning in GoCenterDeep Datta
Go 1.13 introduced important security features to Go Modules including a checksumdb. Deep Datta from JFrog will explain how this works and provide info on other tools that keep modules secure. He will review GoCenter’s vulnerability scanning capabilities so developers can check for security issues or known vulnerabilities.
Security of go modules and vulnerability scanning in GoCenterDeep Datta
Go 1.13 introduced important security features to Go Modules including a checksumdb. Deep Datta from JFrog will explain how this works and provide info on other tools that keep modules secure. He will review GoCenter’s vulnerability scanning capabilities so developers can check for security issues or known vulnerabilities.
Go 1.13 introduced important security features to Go Modules including a checksumdb. Deep Datta from JFrog will explain how this works and provide info on other tools that keep modules secure. He will review GoCenter’s vulnerability scanning capabilities so developers can check for security issues or known vulnerabilities.
Tegra 186 (Tegra-P1 : Pascal GPU搭載のTegra)のu-bootとLinuxについて、
特に、BPMP (Boot and Power Management Processer)に関してです。
About u-boot and Linux of Tegra 186 (Tegra-P1: Tegra with Pascal GPU)
In particular, it is about BPMP (Boot and Power Management Processer).
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
Ведущие: Денис Макрушин и Юрий Наместников
Среди прочих мер, направленных на защиту корпоративной инфраструктуры от злоумышленников, специалисты по безопасности полагаются на строгую политику ограничения доступа приложений к интернету. Защита информационных систем предприятия основана главным образом на принципе «запретить все, что не разрешено». Тем временем угрозы безопасности притаились в недрах корпоративных сетей и ждут, когда у сотрудников закончится рабочий день. Мы расскажем вам, как с наступлением темноты киберпреступники используют Notepad, AutoCAD, Tomcat и SQL Server в своих целях.
Linux Security APIs and the Chromium SandboxPatricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.
The Chromium Sandbox is used in the Vivaldi, Brave, Chrome and Opera browsers among others. It has a very platform specific implementation, using the platform APIs available to construct it. In this talk we will describe the requirements of the Chromium Sandbox and go through the steps and APIs used to construct it on Linux.
Windows Systems & Code Signing Protection by Paul RascagneresShakacon
This presentation explains the code signing mechanism (authenticode) developed by Microsoft on Windows systems. The presentation will first explain the kernel implication and the impact on driver development. This protection firstly annoyed rootkit developers but they found several ways to bypass it. Well-known rootkits such as Derusbi, Uroburos or GrayFish use tricks to bypass driver signature. These techniques will be described during the presentation. Finally, the user-land will be discussed with the new library injection protection based on code signing implemented in Windows 10 TH2 and especially for the Edge process.
My lightening talk given at GopherCon EU on June 18th!
Golang developers care a lot about security and as Go modules become more widely used, they need more ways to assure these publicly shared packages are safe.
One unique feature included with Golang version 1.13 is the foresight that went into authentication and security for Go modules. When a developer creates a new module or a new version of an existing module, a go.sum file included there creates a list of SHA-256 hashes that are unique to that module version. That go.sum file is then sent to Google’s official checksum database where it is stored and used to verify that modules haven’t been tampered with when accessed later by a GOPROXY. This helps keep the integrity of packages intact. In this talk, we’ll go over the behavior of the checksum database, how it protects Go modules, and how the merkle-tree works.
Now, while the checksum authentication feature helps create trust among developers, it isn’t fully tamperproof. If a vulnerability is introduced in the original module’s files, the gosumdb will only be able to indicate that the module wasn’t changed later. This doesn’t solve the problem of malicious code being introduced in the very first commit.
Luckily, GoCenter can now tell you when any Go module has a known vulnerability. We’ve brought the power of JFrog Xray’s security scanning to this reliable repository of Go modules for the Golang developer community.
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers.
However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
Go 1.13 introduced important security features to Go Modules including a checksumdb. Deep Datta from JFrog will explain how this works and provide info on other tools that keep modules secure. He will review GoCenter’s vulnerability scanning capabilities so developers can check for security issues or known vulnerabilities.
Tegra 186 (Tegra-P1 : Pascal GPU搭載のTegra)のu-bootとLinuxについて、
特に、BPMP (Boot and Power Management Processer)に関してです。
About u-boot and Linux of Tegra 186 (Tegra-P1: Tegra with Pascal GPU)
In particular, it is about BPMP (Boot and Power Management Processer).
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
Ведущие: Денис Макрушин и Юрий Наместников
Среди прочих мер, направленных на защиту корпоративной инфраструктуры от злоумышленников, специалисты по безопасности полагаются на строгую политику ограничения доступа приложений к интернету. Защита информационных систем предприятия основана главным образом на принципе «запретить все, что не разрешено». Тем временем угрозы безопасности притаились в недрах корпоративных сетей и ждут, когда у сотрудников закончится рабочий день. Мы расскажем вам, как с наступлением темноты киберпреступники используют Notepad, AutoCAD, Tomcat и SQL Server в своих целях.
Linux Security APIs and the Chromium SandboxPatricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.
The Chromium Sandbox is used in the Vivaldi, Brave, Chrome and Opera browsers among others. It has a very platform specific implementation, using the platform APIs available to construct it. In this talk we will describe the requirements of the Chromium Sandbox and go through the steps and APIs used to construct it on Linux.
Windows Systems & Code Signing Protection by Paul RascagneresShakacon
This presentation explains the code signing mechanism (authenticode) developed by Microsoft on Windows systems. The presentation will first explain the kernel implication and the impact on driver development. This protection firstly annoyed rootkit developers but they found several ways to bypass it. Well-known rootkits such as Derusbi, Uroburos or GrayFish use tricks to bypass driver signature. These techniques will be described during the presentation. Finally, the user-land will be discussed with the new library injection protection based on code signing implemented in Windows 10 TH2 and especially for the Edge process.
My lightening talk given at GopherCon EU on June 18th!
Golang developers care a lot about security and as Go modules become more widely used, they need more ways to assure these publicly shared packages are safe.
One unique feature included with Golang version 1.13 is the foresight that went into authentication and security for Go modules. When a developer creates a new module or a new version of an existing module, a go.sum file included there creates a list of SHA-256 hashes that are unique to that module version. That go.sum file is then sent to Google’s official checksum database where it is stored and used to verify that modules haven’t been tampered with when accessed later by a GOPROXY. This helps keep the integrity of packages intact. In this talk, we’ll go over the behavior of the checksum database, how it protects Go modules, and how the merkle-tree works.
Now, while the checksum authentication feature helps create trust among developers, it isn’t fully tamperproof. If a vulnerability is introduced in the original module’s files, the gosumdb will only be able to indicate that the module wasn’t changed later. This doesn’t solve the problem of malicious code being introduced in the very first commit.
Luckily, GoCenter can now tell you when any Go module has a known vulnerability. We’ve brought the power of JFrog Xray’s security scanning to this reliable repository of Go modules for the Golang developer community.
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers.
However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers.
However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context. This is the sandbox used in the Vivaldi, Brave, Chrome and Opera browsers among others. The Chromium Sandbox has a very platform specific implementation, using the platform APIs available to construct it. In this talk we will describe the requirements of the Chromium Sandbox in detail and go through how the Linux implementation fulfills these requirements.
Finding target for hacking on internet is now easierDavid Thomas
Finding target on internet for penetration testing involves searching internet using google or using Google Hacking/Dorking. There are google hacking queries available on internet, according to ethical hacking researcher of International Institute of Cyber Security it is the main source of passive attacks on internet. This whole process of finding target on internet using GHDB is automated using python based framework named as Katana framework.
Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.
This presentation goes more in depth on some key points from the NDC (2017) presentation.
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for ModulesMitali Bisht
Explaining pseudo-version, how restrictions have been enforced for pseudo-version in Go 1.13 along with go sumdb, resolving them , features in Go 1.14+ related to modules
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.
This presentation goes more in depth on some key points from the NDC (2017) presentation.
Grokking Techtalk #38: Escape Analysis in Go compilerGrokking VN
Trong quá trình phân tích hiệu năng, hiểu và nắm vững ngôn ngữ lập trình cũng như cách thiết kế của nó là rất hữu ích. Go là một trong những ngôn ngữ được sử dụng phổ biến trong các hệ thống phân tán có hiệu năng cao. Để hiểu rõ hơn cách mà Go compiler phân tích cách cấp phát bộ nhớ khi biên dịch chương trình, hãy nghe những chia sẻ của anh Cường về Escape Analysis trong Go compiler.
Về diễn giả:
Anh Lê Mạnh Cường là một kĩ sư phần mềm có 8 năm kinh nghiệm chuyên sâu trong backend và Quản trị hệ thống Linux. Là một OSS contributor tích cực, anh Cường đã có nhiều cống hiến vào cộng đồng mã nguồn mở, đặc biệt là Go và ecosystem của Go.
Jump into Squeak - Integrate Squeak projects with Docker & Githubhubx
Squeak projects are hard to explore for new Smalltalk programmers. We propose a system that lowers entry barriers and provides
an experience comparable to the of web demos. Our system integrates
into Github and provides Git support for Squeak
Cross Context Scripting (XCS) is a type of XSS (Cross Site Scripting) injection which occurs from an untrusted zone, typically a web page on the Internet into the context of a trusted browser zone.
XSS injection in a trusted browser zone can be 'lethal', as injected payload runs as privileged code. No SOP (Same-Origin Policy) restrictions are enforced and direct interfacing with the underlying OS is possible.
To exploit such bugs, there is no need to use ROP gadgets, spray the heap or attempt other complex techniques. At the opposite, only few elements are required for a successful exploit, such as the right injection point and a tailored exploit payload.
This presentation will examine XCS in details and will provide a demonstration of XCS exploits of both unpatched and patched vulnerabilities in Firefox, Opera, Maxthon and Avant browsers.
Similar to Security of Go Modules and Vulnerability Scanning in GoCenter and VS Code (20)
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Connector Corner: Automate dynamic content and events by pushing a button
Security of Go Modules and Vulnerability Scanning in GoCenter and VS Code
1. SECURITY OF GO MODULES AND
VULNERABILITY SCANNING IN
GOCENTER AND VSCODE
2. ● Presentation Slides
● Video later
● JFrog T-Shirts Raffle - Win 1 of 10 JFrog Gopher T-Shirts
https://bit.ly/GoRemoteGoCenter
3. 3
Agenda
● Dependency management in Go v1.13 and Go modules
● Checksum database concepts
● Committing a new Go module to the checksum database
● Vulnerability information in GoCenter
● DEMO: Security in VSCode
● Q&A
● Introduction
5. 5
Dependency management and Go Modules
Go 1.11 Introduced Go Modules
module main.go
go 1.13
require
github.com/sirupsen/logrus
v1.4.2
go.mod
github.com/davecgh/go-spew v1.1.1/go.mod
h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/konsorten/go-windows-terminal-sequenc
es v1.0.1/go.mod
h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/pmezard/go-difflib v1.0.0/go.mod
h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/sirupsen/logrus v1.4.2
h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
github.com/sirupsen/logrus v1.4.2/go.mod
h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
github.com/stretchr/objx v0.1.1/go.mod
h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.2.2/go.mod
h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
golang.org/x/sys
v0.0.0-20190422165155-953cdadca894
h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc=
golang.org/x/sys
v0.0.0-20190422165155-953cdadca894/go.mod
h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
go.sum
Go 1.13 Go Modules become
standard
Basic data security and
data integrity with go.sum
and go.mod
The go mod init command wrote
a go.mod file
you will see a file called
go.sum gets created
glide, gopath, dep, vendoring...
7. 7
SHA-256
cryptographic hash algorithms produce irreversible and unique hashes
Irreversible because you can’t use the hash to figure out what the original piece of data was
Unique means that two different pieces of data can never produce the same hash
8. 8
ChecksumDB and the Merkle Tree
At its core, a Merkle Tree is a list of items representing the data that should be verified.
data data data data
hash hash hash hash
hash hash
hash
go.sum data
Each of these items is inserted into a leaf node and a tree of hashes is constructed.
If you change the data, the hash will also change - all the through the tree.
root
9. 9
checksum database
Module 1
(go.sum)
Module 2
(go.sum)
go.sum
go.sum
go.sum
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
go.sum
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
https://sum.golang.org/
10. 10
The checksum database ensures that the go command
always adds the same lines to everyone's go.sum file.
https://sum.golang.org/
Whenever the go command receives new source code, it
can verify the hash of that code against this global
database to make sure the hashes match…
...ensuring that everyone is using the same code for a
given version.
11. 11
How hashes protect you
Module 1
(go.sum)
Module 1
(go.sum)
go.sum
go.sum
go.sum
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
https://sum.golang.org/
Minor content change
12. 12
Let’s say you
create your first
Go module.
package main
import {
“encoding/json”,
“io/ioutil”,
“net/http”,
“os”,
“text/template”
}
type TodoPageData struct {
PageTitle string
Todos []Todo
}
...
You save it as mod1
go.mod go.sum
main.go
15. 15
Both versions have been committed to the checksum db
github.com/dee
pda/mod1
github.com/dee
pda/mod1/v2
go.sum
go.sum
go.sum
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
go.sum
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
16. 16
If someone
imports….
package main
import {
“encoding/json”,
“io/ioutil”,
“net/http”,
“os”,
“text/template”
}
type TodoPageData struct {
PageTitle string
Todos []Todo
}
...
mod1
main.go
They open
themselves up to
a XSS (cross site
scripting) attack
...imagine if your app is a
dependency for other
projects...
17. 17
Let’s summarize so far
go.sum file uses a list of SHA-256 hashes to match the checksumdb when imported
go.mod stores a list of each dependency and version
Hashes are used to detect misbehavior by an origin server or proxy that provides
different code for the same version
However, the go.sum file has a limitation, it works entirely
by trust based on user’s first use...
Vulnerabilities will remain in that version of the module
18. 18
Introducing JFrog GoCenter with Xray Security
GoCenter is a GOPROXY that caches metadata and source code in its
own storage system.
This allows the mirror to continue to serve source code that is no longer
available from the original locations thus speeding up downloads and
protect users from the disappearing dependencies.
export GOPROXY=https://gocenter.io
GoCenter has every version of a publically available module.
22. 22
Every module and version is scanned and actively provides a security warning
github.com/dee
pda/mod1
github.com/dee
pda/mod1/v2
Versions tab also shows you which version are safe...or not.
24. 24
Next: Building a Golang Project in VSCode
Inside VSCode, type “JFrog” to find the free security scanning extension
25. 25
Building my first Web application with Go in VSCode
A basic web application viewed in the browser with Go
Using GORM and sqlite to configure a database
Security alerts in Visual Studio Code with JFrog Extension