Off BEAM: Secure Coding for the BEAM
Posted 2020-05-04 07:26:41.557621
At CodeBEAM SF 2020 I presented the EEF’s Secure Coding and Deployment Hardening Guidelines. The talk was recorded and was recently published on YouTube, but unfortunately the first 10 minutes are missing.
Update: the full talk is now available, thanks to Code Sync and their video production crew! Here’s the new video; I left the old post with the ‘missing introduction’ below the fold for posterity…
Continue reading...Why Mix no longer installs from HTTP(S) URLs
Posted 2020-01-01 20:02:12.309037
As of Elixir 1.9.3 the use of HTTP or HTTPS URLs in various Mix commands is deprecated, and in 1.10 this functionality will be disabled altogether. This affects the archive.install, escript.install and local.rebar Mix commands.
In this post I will explain why the use of URLs was a security risk, what are the alternatives, and why those alternatives (including Hex) are safe.
Why?
The issue here is that neither Erlang/OTP nor Elixir ships with a CA trust store, and picking up the CA trust store from the operating system is quite hard to do in a reliable, cross-platform way. Without a trust store it is not possible to verify the server’s certificate, which means there is no protection against man-in-the-middle (MitM) attacks. In case of plain HTTP URLs this must have been pretty obvious to users, but when using HTTPS people might be forgiven for thinking they’d be safe from such attacks.
The affected Mix tasks were used to fetch code for local execution or for inclusion into a software product that might be used in production. A MitM attack would allow the attacker to inject malicious code, stealing data or taking over the developer’s machine, build server or even production systems.
Continue reading...Creating an SBoM for Mix projects
Posted 2019-10-24 19:44:48.169213
Any non-trivial modern software project relies, directly or indirectly, on a large number of third party dependencies. Keeping track of updates, known vulnerabilities and license obligations can be a real challenge. Luckily there are tools that can help, both free and commercial.
In order to leverage such tools it is necessary to generate an inventory of the dependencies, including their versions and licenses, in a format the tools can understand. This is called a Software Bill-of-Materials, or SBoM, and an example of an SBoM format is CycloneDX. Tools exist for generating CycloneDX files for various ecosystems, and now there is one for Elixir too.
In this post I will show how to generate an SBoM for a Mix project, and how to use the output with OWASP Dependency-Track.
Continue reading...Older posts
- Learn you some `:ssl` for much security (Posted 2019-04-09 12:43:35.136065)
- Hex package registry vulnerability (Posted 2019-01-29 14:13:52.780049)
- OCSP stapling for Erlang/OTP (Posted 2018-07-11 18:42:50.698413)
- PSA: retiring TLS test domains (Posted 2018-07-11 07:30:04.473948)
- Dual cert RSA/ECDSA server with Erlang/OTP 21 (Posted 2018-07-03 18:55:58.000000)
- Erlang/OTP 21 (Posted 2018-06-23 08:36:19.000000)
- Erlang/OTP 20.3 (Posted 2018-03-14 19:00:53.000000)
- CipherSuites package updated (Posted 2018-03-12 20:16:18.000000)
- Practical security for Elixir/Phoenix (Posted 2018-01-05 08:35:18.000000)
- Security training at ElixirConf EU 2018 (Posted 2017-11-02 20:48:35.000000)
- Unauthorized Erlang? (Posted 2017-04-15 08:26:16.000000)
- Hostname verification with Erlang/OTP 19.3 (Posted 2017-03-17 06:35:40.000000)
- Plug vulnerabilities: impact assessment (Posted 2017-03-01 13:16:28.000000)
- Catching up (Posted 2017-02-27 09:28:27.000000)
- The great HTTPS client shoot-out (Posted 2016-11-05 08:03:50.000000)
- "aRSA+ECDH+AES:@STRENGTH" FTW (Posted 2016-07-05 17:30:20.000000)
- Thou shalt not trust thy neighbour's password (Posted 2016-06-24 19:20:05.000000)
- Who wants cookies? (Posted 2016-06-13 19:35:52.000000)
- Erlang/OTP 19.0 (Posted 2016-06-06 19:02:02.000000)
- ElixirConf.EU talk: video (Posted 2016-06-01 18:52:50.000000)