<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<meta content="text/html; charset=UTF-8">
<style type="text/css" style="">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<div dir="ltr">
<div id="x_divtagdefaultwrapper" style="font-size:12pt; color:#000000; font-family:Calibri,Arial,Helvetica,sans-serif">
<p>I think the difficulty here is defining what such a tool would ever evaluate.</p>
<p><br>
</p>
<p>Erlang is memory safe, so the myriad of tooling for C just doesn't make sense. If you look at static analysis tools for languages like PHP, you're looking at things like unsafe use of MySQL_query(). static analysis tools for Ruby basically look for poor
use of the Rails framework. Except such a thing isn't part of the standard library in Erlang, and it would be infeasible for a security scanner to "just work" with the myriad of requirements of various third party libraries. I've used Fortify, and I cannot
think of a single thing it actually detects on any platform that would be relevant to the Erlang standard library.</p>
<p><br>
</p>
<p>I appreciate having a directive handed down like this requires just doing something, so I would suggest:</p>
<p><br>
</p>
<p>* dialyzer, whilst not being directly targeted at security, can identify programming bugs which may well be security issues.</p>
<p>* Proper and related tools can identify unexpected behaviour, which in turn can be considered a security analysis</p>
<p>* Assuming you have a web API of some description, utilising something like ZAP to approach that as a black box web application can be an effective measure.<br>
</p>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> erlang-questions-bounces@erlang.org <erlang-questions-bounces@erlang.org> on behalf of Marco Molteni <marco.molteni@laposte.net><br>
<b>Sent:</b> Thursday, 27 October 2016 5:13:22 AM<br>
<b>To:</b> erlang-questions<br>
<b>Subject:</b> Re: [erlang-questions] Security scanning tools for Erlang?</font>
<div> </div>
</div>
</div>
<font size="2"><span style="font-size:10pt;">
<div class="PlainText">I am not aware of any static analysis tool for Erlang.<br>
<br>
On the other hand, there are tools that are language-agnostic and that look at the attack surface from the network and I/O point of view.<br>
<br>
For example, peach the fuzzer (commercial), scapy (lower-level, requires to customize, open source), american fuzzy loop (open source) and many others.<br>
<br>
Or, although not a security tool, the very advanced concolic testing tool by Kostis, CutEr (see recent presentations at Erlang Factory).<br>
<br>
I understand all the propositions in the list above require way more time to setup than a static analysis tool. On the other hand, I think they are very important if one _really_ cares about security.<br>
<br>
marco<br>
<br>
<br>
<br>
> On 26 Oct 2016, at 19:23, Garry Hodgson <garry@research.att.com> wrote:<br>
> <br>
> We are using Erlang for some specialized components in a much larger system. That system now requires that all code must be scanned using an automated tool (e.g. HP's Fortify) that looks for security issues. Fortify does not handle Erlang, and has no plans
to do so. Does anyone know of any commercial or Open Source security scanning tools for Erlang code?<br>
> <br>
> <a href="http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/index.html">
http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/index.html</a><br>
> <br>
> Thanks<br>
<br>
_______________________________________________<br>
erlang-questions mailing list<br>
erlang-questions@erlang.org<br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
</div>
</span></font>
</body>
</html>