[erlang-questions] Security scanning tools for Erlang?

Marco Molteni <>
Wed Oct 26 20:13:22 CEST 2016


I am not aware of any static analysis tool for Erlang.

On the other hand, there are tools that are language-agnostic and that look at the attack surface from the network and I/O point of view.

For example, peach the fuzzer (commercial), scapy (lower-level, requires to customize, open source), american fuzzy loop (open source) and many others.

Or, although not a security tool, the very advanced concolic testing tool by Kostis, CutEr (see recent presentations at Erlang Factory).

I understand all the propositions in the list above require way more time to setup than a static analysis tool. On the other hand, I think they are very important if one _really_ cares about security.

marco



> On 26 Oct 2016, at 19:23, Garry Hodgson <> wrote:
> 
> We are using Erlang for some specialized components in a much larger system. That system now requires that all code must be scanned using an automated tool (e.g. HP's Fortify) that looks for security issues. Fortify does not handle Erlang, and has no plans to do so. Does anyone know of any commercial or Open Source security scanning tools for Erlang code?
> 
> http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/index.html
> 
> Thanks



More information about the erlang-questions mailing list