Creating an SBoM for Mix projects
Posted 2019-10-24 19:44:48.169213
Any non-trivial modern software project relies, directly or indirectly, on a large number of third party dependencies. Keeping track of updates, known vulnerabilities and license obligations can be a real challenge. Luckily there are tools that can help, both free and commercial.
In order to leverage such tools it is necessary to generate an inventory of the dependencies, including their versions and licenses, in a format the tools can understand. This is called a Software Bill-of-Materials, or SBoM, and an example of an SBoM format is CycloneDX. Tools exist for generating CycloneDX files for various ecosystems, and now there is one for Elixir too.
In this post I will show how to generate an SBoM for a Mix project, and how to use the output with OWASP Dependency-Track.
Continue reading...Learn you some `:ssl` for much security
Posted 2019-04-09 12:43:35.136065
Here’s the slide deck for my presentation at ElixirConf EU 2019 today.
I created a gist with all the code snippets, for easy copying and pasting into an iex session. I encourage you to try things out yourself!
P.S. Apologies to Fred for abusing the title of his awesome book…
Update: the video is now available:
Hex package registry vulnerability
Posted 2019-01-29 14:13:52.780049
Recently I came across a vulnerability in the Hex package manager that would let a malicious or compromised mirror host modified versions of popular packages without detection by the client.
The issue, which affected both the Hex plugin for Mix and the Hex client built into Rebar3, has since been fixed. I hope everyone upgraded to Hex v0.19.0 and Rebar3 v3.8.0 by now.
In this post I will explain the background, the vulnerability, the potential impact and the fix.
Continue reading...Older posts
- OCSP stapling for Erlang/OTP (Posted 2018-07-11 18:42:50.698413)
- PSA: retiring TLS test domains (Posted 2018-07-11 07:30:04.473948)
- Dual cert RSA/ECDSA server with Erlang/OTP 21 (Posted 2018-07-03 18:55:58.000000)
- Erlang/OTP 21 (Posted 2018-06-23 08:36:19.000000)
- Erlang/OTP 20.3 (Posted 2018-03-14 19:00:53.000000)
- CipherSuites package updated (Posted 2018-03-12 20:16:18.000000)
- Practical security for Elixir/Phoenix (Posted 2018-01-05 08:35:18.000000)
- Security training at ElixirConf EU 2018 (Posted 2017-11-02 20:48:35.000000)
- Unauthorized Erlang? (Posted 2017-04-15 08:26:16.000000)
- Hostname verification with Erlang/OTP 19.3 (Posted 2017-03-17 06:35:40.000000)
- Plug vulnerabilities: impact assessment (Posted 2017-03-01 13:16:28.000000)
- Catching up (Posted 2017-02-27 09:28:27.000000)
- The great HTTPS client shoot-out (Posted 2016-11-05 08:03:50.000000)
- "aRSA+ECDH+AES:@STRENGTH" FTW (Posted 2016-07-05 17:30:20.000000)
- Thou shalt not trust thy neighbour's password (Posted 2016-06-24 19:20:05.000000)
- Who wants cookies? (Posted 2016-06-13 19:35:52.000000)
- Erlang/OTP 19.0 (Posted 2016-06-06 19:02:02.000000)
- ElixirConf.EU talk: video (Posted 2016-06-01 18:52:50.000000)