Defensive API development techniques for Gophers

About

Below you can find the slides, recording, and the links from my presentation at LASCON 2023.

Presentation

• Slides
• Recording

References In The Presentation

• Dependency management
  • Renovate
  • govulncheck
  • Go Resty race condition issue (already addressed)
  • HTTP/2 Zero-Day vulnerability results in record-breaking DDoS attacks
• HTTP Routers
  • Go built-in
  • go-chi
  • Gorilla MUX
• Rate limiting
  • go-redis
  • Ratelimit header draft
• JSON Validation
  • gojsonschema
  • OpenAPI Initiative
  • JSON Schema
  • Verosint API Reference

Additional Resources

• OWASP Top 10 API Security Risks
• Open Source Security Foundation
  • scorecard app
• Getting Started with Fuzzing
• How to Parse a JSON Request Body in Go
• Make resilient Go net/http servers using timeouts, deadlines and context cancellation
• Tool selection from ISTQB Certified Tester Advanced Level Test Manager Syllabus

Source Code Repositories

• API Fuzzing Examples
• Defensive API Implementation Examples