Fuzzers, analyzers, and other Gophers insecticides
2021-10-12, 11:00–11:50, The Point

Go is a great language that is explicit, simple, and it makes writing concurrency extremely easy. Yet, it suffers from many of the same vulnerabilities you'd encounter in C and C++ applications. Writing concurrent Go code can also be risky, as vicious concurrency bugs can slowly sneak into your application. So, how can you get started discovering vulnerabilities in Go code? This talk will discuss approaches to finding vulnerabilities in Go code and the state of static and dynamic analysis tools for automated discovery of Go vulnerabilities, from static analysis to fuzzing to fault injection. We will learn about common vulnerabilities in Go and how to catch them, whether you are a security researcher or a Go developer.


Go is a great language that is explicit, simple, and it makes writing concurrency extremely easy. Yet, it suffers from many of the same vulnerabilities you'd encounter in C and C++ applications. Writing concurrent Go code can also be risky, as vicious concurrency bugs can slowly sneak into your application. So, how can you get started discovering vulnerabilities in Go code? This talk will discuss approaches to finding vulnerabilities in Go code and the state of static and dynamic analysis tools for automated discovery of Go vulnerabilities, from static analysis to fuzzing to fault injection. We will learn about common vulnerabilities in Go and how to catch them, whether you are a security researcher or a Go developer. We will focus on:

  • Learning common bugs in Go applications
  • Learn the types of concurrency bugs that are common to Go
  • Discuss the state of tooling for catching and discovering Go bugs and the techniques that they rely on
  • Demonstrate Gotico, a tool currently in development for catching library-specific bugs