Practical security for Elixir/Phoenix

Posted 2018-01-05 08:35:18.000000

On April 18th I will be giving a one-day workshop on software security at ElixirConf EU in Warsaw. The title of the workshop is “Practical security for Elixir/Phoenix”, and in this post I want to give a brief overview of what you can expect.

Goals

The primary goals of the workshop are:

The keyword is “practical”: at every step on the way we will look at Elixir sample code, wherever possible exploring it at runtime. With a solid understanding of both the ‘why’ and the ‘how’, you should be able to apply the lessons learnt in your own projects immediately.

Outline

  1. Secure software development lifecycle (SDLC) overview
  2. The Erlang/Elixir runtime environment
  3. Built-in defences of Plug, Phoenix, and Ecto
  4. Use of third party software
  5. Handling authentication and authorisation
  6. Building and configuring TLS/HTTPS servers and clients
  7. Use of Erlang’s crypto and PKI APIs
  8. Clustering with distributed Erlang
  9. Keeping secrets
  10. Lessons learnt from past vulnerabilities
  11. Security testing at different stages of the lifecycle

Prerequisites

The workshop assumes basic knowledge of the Elixir language, standard library and tooling. Some parts will dive a little deeper into the Erlang VM or the Erlang standard library, but no prior experience with Erlang is required.

Experience with Phoenix, or web development in general, will make it easier to follow along with those parts that focus on the web. But if web development is not your thing, don’t worry: the workshop covers all layers of the stack, it is not just about XSS and CSRF.

If you want to follow along with the hands-on parts you’ll want to know your way around your laptop’s command line, to install some basic pen-test tools. Even better: prepare a VM with Kali Linux, which comes with all the tools you’ll need pre-installed. Make sure to configure the VM’s networking to allow it to reach your Elixir/Phoenix dev environment. We won’t have much time to go through the setup process on the day of the training, so I’ll try to send out some more detailed preparation instructions beforehand.

Finally, no prior security training is required. All major concepts, such as weaknesses and techniques, will be briefly introduced, and links to learning resources will be provided for those who want to dig deeper. Because the focus is on the applicability in the Erlang/Elixir ecosystem, the workshop also has plenty to offer to those with some previous experience in other languages.

Where do I sign up?

Get your “Early Bird” tickets here while you can. Sale ends on March 11.

If you have any questions, feel free to reach out via Twitter (@voltonez), Keybase (@voltone) or the #security channel on Slack.


Back