Wikimedia Security Team/Golang Symposium May 2019

Date/time: May 29th, 2019 - 5:00 PM UTC

Attending: Scott, Brooke, Dan, Lars, Brian, David, James

Agenda:
 * 1) Basic thoughts/impressions on Golang as a development language, experiences, any known security issues/concerns.
 * 2) Current and future Golang Wikimedia projects (blubber, kask, anything else on the horizon?)
 * 3) Discussion of best practices (specifically security best practices) for Golang development.  I'd like to frame this around the OWASP Top 10 for now, but of course discussing any real-world examples people have come across would also be extremely helpful.

Supplemental:
 * Security with Go (book)
 * Blubber (wmf golang project)
 * Kask (wmf golang project, security review)

Minutes:

Brooke
 * Golang gives a lot of room to harm yourself
 * Package management - vendor all dependencies
 * github, other repos - can look for problems/issues, potential vulnerabilities for 3rd party code
 * DeSer w/ JSON - serialize into struct w/ defined types
 * Error suppression: intentionally lazy about throwing away errors, should panic in most cases
 * Can cause leaks in channels if not careful

Lars Brian Dan
 * Vendoring: checks should happen during CI, etc. in an automated/scheduled fashion
 * Do not merge or deploy code to production that fails vulnerability checks?
 * Worried about current issues with vulnerable package detection
 * Only good if there are code owners/stewards and issues can be dealth with in a timely fashion
 * Would be nice to have more automation, gate-and-submit, post-merge, also scheduled, query kubernetes pods, etc.
 * RelEng - blubberoid micro-service, send yaml, variant is output
 * SIG, quarterly meeting? List of reviewers?
 * go-lint, go-vet (call out to both, https://gerrit.wikimedia.org/r/plugins/gitiles/blubber/+/master/Makefile)

David (after meeting)
 * Golang required versions? Based upon CVE reporting.

Action Items:
 * Scott - draft basic golang security best practices from resources and discussion here
 * Scott - schedule golang SIG, assess interest