It’s not a secret that the world of software development is going through some massive changes: the increasing speed of releases, the advent of microservices and distributed infrastructures, and more. Rather than relying on a single technology to do everything, developers are able to select the best tools for each task. And one of the technologies that is enabling that change is Go. At Sqreen, we see these changes first hand. Since we started Sqreen in 2015, one of the most requested enhancements has consistently been support for the Go language.
So today, we’re very excited to announce the public release of our Sqreen Go agent. The Go agent provides the same level of protection, observability, and testing as our other languages: Java, PHP, Ruby, Node.js, and Python. It’s the first real Runtime Application Self-Protection (RASP) for Go in the market!
A RASP for Go
A Runtime Application Self-Protection solution offers the deepest level of protection possible, beyond the traditional HTTP layer. It leverages security signals from the full execution context of requests to identify and block attacks exploiting vulnerabilities at run-time. It doesn’t need to use attack patterns or “learn” from your regular traffic to block attacks.
How does it work? If we take the example of a SQL injection, Sqreen’s microagent attaches its SQLi protection to the SQL driver of the application and will check, in a sandboxed environment, that the SQL query that is about to be executed has no executable SQL code coming from the HTTP request that would change the structure of the query.
With Sqreen’s RASP, you can easily cover your app against OWASP top 10 vulnerabilities and some zero-day attacks without triggering false positives.
The benefit of RASP on large-scale distributed environments is that it can be easily deployed across the environment and adapts its protections to every app or microservice it is installed on. No code changes or configurations are required as the microagent embedded into the app automatically adapts to the stack of the service.
But of course, Sqreen’s Go agent comes with the additional solutions of a full-fledged Application Security Management Platform:
- In-App WAF: a Web Application Firewall that is embedded directly inside applications and microservices. It allows teams to make it easy to deploy and manage a WAF at scale. It automatically adapts to your stack to reduce the number of false positives and drastically reduce maintenance costs.
- Application Inventory: an always up-to-date, searchable source of truth of application assets. It centralizes in-app security metadata collected from the microagents deployed on our customers’ applications.
- Vulnerable dependencies database: easily identify Go applications using vulnerable open source packages in production. You get insights on vulnerabilities, even if you don’t update or redeploy your apps.
- And more
Building a dynamic instrumentation agent for a statically typed, compiled programming language like Go wasn’t always as straightforward as for the other languages Sqreen supports. So let’s have a look at what makes Sqreen for Go so unique.
What makes Sqreen for Go so unique?
Built for large-scale production environments
Sqreen’s RASP requires the Go agent to monitor and react (block or log) at run-time in production.
Our main criteria for building our Go agent on which we couldn’t compromise were:
- It needs to be secure and safe by being able to work on any hardened and secured production environments. We, therefore, avoided run-time machine-code modification involving insecure execution privileges.
- It needs to be fast and have a minimum impact on the response time of legitimate traffic while efficiently blocking attacks.
- It needs to have an exhaustive coverage and visibility of the Go application software stack. Everything in the application, from the networking layers to the database drivers, including third-party libraries, must be protected.
Here is a quick overview of how Sqreen’s Go microagent works:
As the infographic above shows, the agent leverages compile-time instrumentation in order to dynamically attach its protections (In-App WAF, RASP, etc.) into the app software stack. This allows security teams to manage their app security live at run time and be able to react to their current security situation without going through a new app deployment cycle.
The best developer experience possible
There are several companies leveraging Go agents to monitor an application’s performance (APM solutions like New Relic, for example). Unfortunately, those agents only stay at a high instrumentation level. They usually require developers to self-instrument their apps with SDKs.
This process is tedious for developers, is limited to the software components you own, and goes against our mission to democratize security. For Go, we wanted to offer the same frictionless developer experience that we offer for our other languages.
Relying on standard Go instrumentation and compilation solutions allows developers to easily install and deploy Sqreen into their existing build and deployment solution. The resulting compiled Go app preserves every Go property: fast (<4% CPU impact when enabled), portable (pure Go implementation), and now secured.
Getting started with Sqreen really just takes a few steps:
- Set the HTTP middleware function for your web framework.
- Download the Go instrumentation tool and compile your program using it.
That’s it! You can read more about our installation in the Go documentation.
Sqreen for Go is already deployed on over 200 production applications.
In this first GA release, Sqreen’s RASP for Go will only support SQL injections. Stay tuned for protections against other OWASP top 10 vulnerabilities like XSS, Shell Injections, and SSRF.
We’re excited to hear your feedback 🙌.