Chapter 12. Security

No technology that’s connected to the Internet is unhackable.¹

Abhijit Naskar, The Gospel of Technology

It can’t be overstated: security is everyone’s responsibility.

Too often, security is a distant afterthought in the software development process. Or worse, it’s treated as the exclusive job of a dedicated² security person or team to worry about.

This is a bad idea for a bunch of reasons, not the least of which is that it keeps security personnel isolated from the software development process, virtually guaranteeing that vulnerabilities in the software won’t be addressed until late in the development cycle. It also discourages developers from thinking about security practices, making it far more likely that they’ll introduce security flaws into their code.

If you take one thing away from this chapter, take this: producing a safe, secure product is the job of everybody involved in its construction.

In this chapter, we’ll explore a variety of techniques, ranging from simple to complex, for doing exactly that. This will include topics such as authentication, authorization, access control, data protection, and encryption. It will also discuss security best practices for Go, emphasizing input sanitization, validation, defensive programming, and a variety of techniques for reducing complexity.