[erlang-questions] Security scanning tools for Erlang?

Éric Pailleau eric.pailleau@REDACTED
Thu Oct 27 20:34:55 CEST 2016


Hi,
I do not know if static analysis for security is needed but I would love that Otp team, or other,   supplies apparmor rules for each new Erlang VM. Maybe it is already existing,  if the case please share...

I know there a 'learning' mode but hard to do this at each new release. 
This would help to extend our own apparmor rules for applications. 
Regards 

"Envoyé depuis mon mobile " Eric

---- Andrew Varner a écrit ----

>Static analysis of Erlang for security issues could be useful.
>
>SQL and other database query language injection is still a problem in Erlang. Writing checks for each of the forks of each database driver is an added thrill. Shell injection from calls like os:cmd/1 and erlang:open_port/2 is possible. Erlang-specific denial of service attacks can leverage system limits on atoms or ETS tables. Flagging on *_to_atom/1 and recommending *_to_existing_atom/1 would be nice. Parsing user-provided URIs using http_uri:parse/1 or parse/2 without a validation function opens the atom table to exploitation, since these functions call list_to_atom/1 under the covers. Certain built-in libraries can be called in an unsafe fashion.  Functions in the ssl library could be called without options set for certificate revocation list (CRL) or could use verify_none. Erlang code can still fall victim to standard coding vulnerabilities like input sanitation, race conditions (e.g. temp files), etc.
>
>You could probably implement rules to detect this in Elvis (https://github.com/inaka/elvis).
>
>> On Oct 26, 2016, at 1:23 PM, Garry Hodgson <garry@REDACTED> wrote:
>> 
>> We are using Erlang for some specialized components in a much larger system. That system now requires that all code must be scanned using an automated tool (e.g. HP's Fortify) that looks for security issues. Fortify does not handle Erlang, and has no plans to do so. Does anyone know of any commercial or Open Source security scanning tools for Erlang code?
>> 
>> http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/index.html
>> 
>> Thanks
>> 
>> 
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>
>_______________________________________________
>erlang-questions mailing list
>erlang-questions@REDACTED
>http://erlang.org/mailman/listinfo/erlang-questions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20161027/c8590895/attachment.htm>


More information about the erlang-questions mailing list